In the latest security baselines for Microsoft Edge v81, the setting "Allow users to proceed from the HTTPS warning page" is recommended to set as Disabled. Setting to Disabled prevents users from clicking through warning pages about invalid SSL certificates.
With this setting in place, users are prevented from accessing sites with expired SSL certificates, often due to an administrator forgetting to renew it. This happens fairly often to sites/services on the Internet, which of course is something my company cannot control. For example, earlier this year Microsoft forgot to renew a certificate for Teams that caused an outage. I can imagine this recommended setting has potential to cause a significant problem for organizations if users are unable to access a critical site because they are unable to bypass the SSL warning.
That leads me to a few questions:
- Given the risk of this setting blocking access to sites, why is this a recommended setting?
Does Microsoft have this setting set to "Disabled" internally? - Are any workarounds available for allowing bypass to specific sites, including when a certificate has expired?
- Some hotel Wi-Fi Internet access is only accessible after logging in via a captive portal page, which is sometimes hosted internally on RFC1918 private IP space and can not have a valid public certificate. How would users access the portal in order to connect to the Internet? Would they need to add the Certificate Authority to their Trusted Roots?
I'm struggling to see how many companies could implement this setting without increasing the risk of an outage by being unable to access a critical site.
