Edge - Bypass HTTPS Warning Page

%3CLINGO-SUB%20id%3D%22lingo-sub-1384493%22%20slang%3D%22en-US%22%3EEdge%20-%20Bypass%20HTTPS%20Warning%20Page%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1384493%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20latest%20security%20baselines%20for%20Microsoft%20Edge%20v81%2C%20the%20setting%20%22Allow%20users%20to%20proceed%20from%20the%20HTTPS%20warning%20page%22%20is%20recommended%20to%20set%20as%20Disabled.%20Setting%20to%20Disabled%20prevents%20users%20from%20clicking%20through%20warning%20pages%20about%20invalid%20SSL%20certificates.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20this%20setting%20in%20place%2C%20users%20are%20prevented%20from%20accessing%20sites%20with%20expired%20SSL%20certificates%2C%20often%20due%20to%20an%20administrator%20forgetting%20to%20renew%20it.%20This%20happens%20fairly%20often%20to%20sites%2Fservices%20on%20the%20Internet%2C%20which%20of%20course%20is%20something%20my%20company%20cannot%20control.%20For%20example%2C%20earlier%20this%20year%20%3CA%20href%3D%22https%3A%2F%2Fwww.theverge.com%2F2020%2F2%2F3%2F21120248%2Fmicrosoft-teams-down-outage-certificate-issue-status%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20forgot%20to%20renew%20a%20certificate%20for%20Teams%20that%20caused%20an%20outage%3C%2FA%3E.%20I%20can%20imagine%20this%20recommended%20setting%20has%20potential%20to%20cause%20a%20significant%20problem%20for%20organizations%20if%20users%20are%20unable%20to%20access%20a%20critical%20site%20because%20they%20are%20unable%20to%20bypass%20the%20SSL%20warning.%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20leads%20me%20to%20a%20few%20questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EGiven%20the%20risk%20of%20this%20setting%20blocking%20access%20to%20sites%2C%20why%20is%20this%20a%20recommended%20setting%3F%3CBR%20%2F%3EDoes%20Microsoft%20have%20this%20setting%20set%20to%20%22Disabled%22%20internally%3F%3C%2FLI%3E%3CLI%3EAre%20any%20workarounds%20available%20for%20allowing%20bypass%20to%20specific%20sites%2C%20including%20when%20a%20certificate%20has%20expired%3F%3C%2FLI%3E%3CLI%3ESome%20hotel%20Wi-Fi%20Internet%20access%20is%20only%20accessible%20after%20logging%20in%20via%20a%20captive%20portal%20page%2C%20which%20is%20sometimes%20hosted%20internally%20on%20RFC1918%20private%20IP%20space%20and%20can%20not%20have%20a%20valid%20public%20certificate.%20How%20would%20users%20access%20the%20portal%20in%20order%20to%20connect%20to%20the%20Internet%3F%20Would%20they%20need%20to%20add%20the%20Certificate%20Authority%20to%20their%20Trusted%20Roots%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3EI'm%20struggling%20to%20see%20how%20many%20companies%20could%20implement%20this%20setting%20without%20increasing%20the%20risk%20of%20an%20outage%20by%20being%20unable%20to%20access%20a%20critical%20site.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1424608%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20-%20Bypass%20HTTPS%20Warning%20Page%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1424608%22%20slang%3D%22en-US%22%3E%3CP%3EI'll%20agree%20with%20Eric.%3C%2FP%3E%3CP%3EWhile%20this%20setting%20may%20work%20for%20my%20end-users%20while%20on%20premise%2C%20it%20would%20quickly%20run%20afoul%20for%20our%20remote%20staff%20as%20well%20as%20IT%20Staff.%20Most%20web%20admin%20interfaces%20leverage%20a%20self%20sign%20cert.%20The%20ability%20to%20set%20overrides%20for%20this%20(using%20FQDN%20or%20IP)%20would%20significantly%20reduce%20the%20amount%20of%20problems%20caused.%3C%2FP%3E%3CP%3EFor%20now%2C%20we%20can%20create%20a%20separate%20GPO%20for%20those%20'admin'%20computers%20so%20IT%20staff%20can%20proceed%20through%20the%20warning%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1567031%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20-%20Bypass%20HTTPS%20Warning%20Page%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1567031%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F665513%22%20target%3D%22_blank%22%3E%40ericwright%3C%2FA%3E%26nbsp%3BDear%20Eric%2C%20%22recommended%20baselines%22%20are%20only...%20recommended%2C%20so%20you%20can%20override%20them%20in%20a%20separate%20GPO%20in%20whatever%20manner%20you%20like.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EI%20personally%20prefer%20to%20have%20good%20recommendations%20from%20Microsoft%2C%20as%20I%20can%20create%20my%20own%20exceptions.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

In the latest security baselines for Microsoft Edge v81, the setting "Allow users to proceed from the HTTPS warning page" is recommended to set as Disabled. Setting to Disabled prevents users from clicking through warning pages about invalid SSL certificates.

 

With this setting in place, users are prevented from accessing sites with expired SSL certificates, often due to an administrator forgetting to renew it. This happens fairly often to sites/services on the Internet, which of course is something my company cannot control. For example, earlier this year Microsoft forgot to renew a certificate for Teams that caused an outage. I can imagine this recommended setting has potential to cause a significant problem for organizations if users are unable to access a critical site because they are unable to bypass the SSL warning.

That leads me to a few questions:

 

  1. Given the risk of this setting blocking access to sites, why is this a recommended setting?
    Does Microsoft have this setting set to "Disabled" internally?
  2. Are any workarounds available for allowing bypass to specific sites, including when a certificate has expired?
  3. Some hotel Wi-Fi Internet access is only accessible after logging in via a captive portal page, which is sometimes hosted internally on RFC1918 private IP space and can not have a valid public certificate. How would users access the portal in order to connect to the Internet? Would they need to add the Certificate Authority to their Trusted Roots?

I'm struggling to see how many companies could implement this setting without increasing the risk of an outage by being unable to access a critical site.

2 Replies

I'll agree with Eric.

While this setting may work for my end-users while on premise, it would quickly run afoul for our remote staff as well as IT Staff. Most web admin interfaces leverage a self sign cert. The ability to set overrides for this (using FQDN or IP) would significantly reduce the amount of problems caused.

For now, we can create a separate GPO for those 'admin' computers so IT staff can proceed through the warning page.

@ericwright Dear Eric, "recommended baselines" are only... recommended, so you can override them in a separate GPO in whatever manner you like. :)

I personally prefer to have good recommendations from Microsoft, as I can create my own exceptions.