11 comments

[ 4.6 ms ] story [ 31.5 ms ] thread
It's possible they changed it from "thisisunsafe" to the b64 version to avoid automatic scanners finding "unsafe" keyword usage.
I wonder if this is for quicker testing that happens recurringly (either automated or a poor soul doing it manually) where letting the phrase type by script is just easier than doing the 2 mouse clicks
Jesus Christ thank god for this! Recently libgen ceased to be accessible because of this and I couldn't figure out any way to disable (on Firefox as well!). Bless you.
Is this easier for screen readers to bypass?
If I want to load some unencrypted data my browser better fucking let me do it. I don't mind if I have to give a secret handshake, but I have no sympathy for lusers who type "thisisunsafe" and then make it someone else's problem when their expectations of "safety" are violated.
I've been using this a lot (when testing), but I wish firefox/mozilla had something equivalent, because with HSTS domains, it's hard to bypass cert issues in firefox.
Hey at least Chrome lets you can bypass SSL errors. Firefox makes it impossible to bypass SSL errors if the site uses HSTS. So much for the browser for power users.
I've found this useful periodically on desktop but I wonder how/if it would work on mobile if you don't have a physical keyboard attached.
Hey Chrome, give us a cheat code to permanently hide the close buttons on tabs.
It really is unsafe though, even beyond what many who generally understand the web may realize. There are various ways (from caches to more obscure ones) in which loading a web site insecurely once, even if you aren't logged in at that time, can affect you much later when you think you are safe.

If you ever do this, use a separate browser profile or incognito window. Don't use this just to e.g. get to a captive portal (use example.com or neverssl.com for that).

You only need the "cheat code" if the site is using HSTS, which suggests it's the production web site of something that has a reason to try to be secure. If you're in a separate dev envrionment (different origin), you probably won't have HSTS set.

For local development or browser-to-local-app communication, localhost counts as a secure origin even without HTTPS.