I needed to use a different browser to access website after SSL date expired in order to fix Let's Encrypt settings and update/renew certificate... this is just stupid that chrome has no option for date issues... chrome has no option to bypass expired site.

Ultimately what I would like is a prompt as was previously available or for "more" then a chromakey color-shifting window or inverted black is white or weird color annoying window to alert user that things are bad and not normal.. let's use a bad website but make it really annoying and alerting.

This is working as intended.

No, connections without proper certificates are not secure.

By way of analogy, when you try to buy an expensive product at a store with a credit card and they ask to see your drivers' license, they don't simply check that you have *a* drivers' license, they check to see that the picture matches your face and that the name on the license matches the credit card. In the same way, browsers must validate that the certificate presented by the server is legitimate (chained to a trusted root) and matches the hostname of the site.

Expiration is similar-- both certificates and credit cards expire for a number of reasons, but historically they have expired because, in the event of compromise (e.g. stolen credit card, lost private key for a certificate), the authority (credit card company or CA) does not want to maintain records of the revocation indefinitely; they instead only keep track of the revoked state until the token expires.

For *most* HTTPS errors in Chrome, you can elect to ignore certificate errors and proceed anyway (the option is hidden behind the ADVANCED link). Sites where this option are not available have explicitly forbidden it by using a feature called Strict Transport Security.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I call BS on your analogy, the store is the security source and they don't care what your credit card or DL or anything else in the channel or data stream.  You can't conflate the validity of the channel with the validity of the CC or Driver's License -- either there may not even be a CC or DL or when there is the CC may even be expired but the SSL is still good.  In simplest terms, this is completely about their business licences (and in the funny thing is if this was the real world has anyone ever checked a stores business licence? how do you know the last store you were in wasn't a counterfeit franchise?), and nothing about the client... the client can choose to not look at or ignore the business license...

Next, and most importantly, connections without proper certificates are completely secure... unless the certificate has been compromised there is no difference in a certificate today or tomorrow.  You are guaranteed complete security and privacy between two endpoints.  To illustrate this fact, imagine you used timetravel to get a certificate from next year a year in the future -- would you suggest it's not secure today but it is secure in the future?

So you're conflating "SECURITY" with "TRUST", the thing is 99% of the time security is guaranteed even when certificates are compromised and trust may be out the window.  The impossible encryption is always just as valid so long as the private keys aren't compromised.  Protocols are protocols and changing the date doesn't mean I can hack you.  Point to Point communications are still encrypted, doesn't usually matter with what.


So, let's skip analogies and see what originally happened: I'm the "store" owner and things aren't working because the date is bad.  And even with local access (aka physical in the real world) where I don't need to trust a root certificate from some global authority or check the time on some remote site (although that might be nice later if I needed to adjust the time).  You're saying that there should be no option except to use something other than chrome, or that if I wanted to use chrome I need to uninstall the latest version of chrome and use an old version? 

In the simplest terms, you're saying if the date is wrong that Chrome won't work and there are no exceptions anymore.  Just say that, don't make excuses.  Your answer is you can't do that or to use old chrome or no chrome.  

Security/Privacy is totally different than Trust.  Security/Privacy is based exclusively on the protocol (except for private keys) and the connection.  Trust is based on mutually accepted but arbitrary otherwise meaning things (like dates and roots).  Matter of factly, I can use private roots and be more secure and more trustworthy in private circles than being chained to a trusted root which is still a third party. Don't also conflate security and validity – a rejected credit card transaction is still as perfectly secure and valid as any accepted transaction -- both are successful credit card transaction and neither is a failed credit card transaction.  


So, about Trust, yes, the date is wrong can we just agree to ignore that and continue?  So, this thread has expired, but we can't keep it open or do I have to open a new thread?  Is there an option or reopen this thread?  An exclusion or checkbox somewhere?  That is the question applicable both to this thread and to how Chrome works.

Optionally, go today and register a _NEW_ cert and put it on a site, then access that site via SSL but using the IP or a wrong name... then explain to me how that is hacked and exposed and insecure!  Seriously?!  It is completely secure just totally untrustable -- unless it was local or even private.


I've written 10 times more than what you see here -- I bitched a lot more than you can see.  But, re-editing, I cut it down; and ultimately, if dates are f'd while chrome used to work, it doesn't work anymore and there are _NOW_ no exceptions and the only option is to use an old chrome or use some other browser... you're suggesting I have to use a browser that is not chrome?  


Ultimately, I can't use chrome?!  I can use an old chrome or other browser.  What is your alternative?

I'm only asking for chrome to work as it worked in the past... if the there is a date problem or a name mismatch then to have the option to _TEMPORARILY_ ignore the mismatch... the encryption and therefore privacy of the communication is independent of "titles" and "dates"...

connections with invalid certificates, either private, thirdparty or expired certificates are still completely secure and private -- they are just not trustworthy.

A day before or after a certificate becomes valid doesn't invalidate the security of the encryption...

meanwhile take any certificate valid today and use their IP address or some alternate name -- you can do this yourself!!! ... security of the encryption is still not invalidated...


Who understands that?

<<connections with invalid certificates, either private, thirdparty or expired certificates are still completely secure and private -- they are just not trustworthy.>>

Most people believe that a connection is not private if it is not conducted with the party they believe it to be. If you have a secret conversation with an untrustworthy third-party, you can have no expectation of privacy. This is not a terribly interesting debate, however.

<<A day before or after a certificate becomes valid doesn't invalidate the security of the encryption...>>

The problem with expired certificates is that the CA is under no obligation to revoke them after a compromise occurs, and the subscriber is under no obligation to protect the private key associated with the expired certificate's public key. So expired certificates cannot be considered trustworthy.

<<I'm only asking for chrome to work as it worked in the past...>>

Chrome's behavior has not changed. When you visit a site with a bad certificate (e.g. https://expired.badssl.com) a blocking interstitial page is presented. An end-user may opt to ignore the warning by clicking the "Proceed Anyway" link, unless that link has been removed by either:

1. Corporate policy managing the Chrome browser on the PC in question
2. Server policy as specified by the HSTS (Strict Transport Security) directives

Again, my big thing was I was the owner and talking to my expired site or not actually but in actually my _device_ so not even something hosted by a third party... whatever the case I obviously knew what it was and I also knew where it was and in what condition.  Yet chrome no longer gave me any options and I need to use any other browser...

I understand all your arguments and agree with half of them, but you're smart and you know what you're doing... do you understand that we are not talking about most people... We could also have an option deep in the options that we need to enable.  I was specifically talking about "owners" for instance, or super smart people like you...  damn... how the hell are normal stupid people gonna even get fooled after being told once then asked a second time (or having needed to go somewhere deep in chrome options and enable something and being asked to type YES twice)... blah, that is also why I even proposed that we might use "chromakey" and even undulate the screen with varying reds and oranges and yellows like a siren to indicate this was a dubious website... do you get it now???   Normally disabled... you need to manually go into some setting deep in the options and enable something and even after that you get fireworks...

imagine a webpage that is constantly shifting from red to yellow to purple in some weird fractal undulating pattern..  that was my suggestion to notify people that we're on a dubious untrustworthy site... might be bad.  https://www.shutterstock.com/video/clip-2157698-stock-footage-shifting-rainbow-colors.html  or perhaps 
 https://www.videoblocks.com/video/spinning-particles-with-flame-fractal-3qggt56/ or other similar things like https://www.videoblocks.com/video/fractal-to-infinity-nkw24ho6eim4lj7mp/  Whatever... imagine orange and red waves on the screen shifting to indicate "Danger! Will Robson, Danger!", "I can not accept that course of action", "My computer is the best on earth.", "That does not compute!"


reread my original garbage...  I'm not asking for it to be enabled, I'm asting for an option and that option could be deeply obscured (deep in options with multiple yes please) and then be mitigated (flashy screen).

Ultimately I'm asking for the option, not for the thing.

heck... perhaps some 1 in a million advanced "for developers only" option that you need to click twice, stand up, sit down, and then type YES twice again then wait 3 hours option.  

How about that?!  rather than the chromakey flashing screen ... yes, ooh! actually that "delay" idea is actually also beautiful... but maybe just a 15 minute wait? then enabled for 15 minutes?... Whatever stupid hoops do you think are stupid enough?....  seriously, I think if people just type "beetlejuice" three times then after a 15 minutes delay Chrome would allow things to be bypassed for 15 minutes.  Just make sure people type "beetlejuice" or "bloody mary" in front of a mirror.


Whatever the case, again either the multiple YES deep obscure option, then the "chromakey" or my latest idea of a "15 minute delay" will obviously notify "most people" that this is not an option for them.   This is a special option for us, but especially a smart person like you.


So... after you enable this obscure option deep within Chrome, then you need to wait several minutes and/or maybe get access to chromakey undulating and weird webpages.   

Ultimately, there is a "bypass" option but it is long and evolved then delayed for a bit and ultimately flashy like the Aurora Borealis.    Can that be enabled or allowed?  Are you smart enough bypass all the warnings? This isn't for the "normal person", this may not even be for me... this is entirely for you ... what are you convinced with that you are smart enough to enable to do to bypass what normal people shouldn't be able to do.

Forget the normal person or even me... let's talk exclusively about you or someone as good and smart as you.  What are your options (other than a time machine)?

I think you're mostly just talking to yourself at this point, but to reiterate #8, the option to ignore HTTPS certificate errors has not changed or been removed. 

I've somehow missed most of message #8...  for instance just the https://badssl.com website... Very useful, and I'd definitely like to remember that (obviously didn't, stupid me), but more than that Everything works there as it should and as I expect and how I want... I do understand the option to bypass.  The same option that I expected and looked for when I originally commented/complained.

I presume parts of whats happened is that I wasn't enunciating clearly enough that _originaly_ I wasn't presented with "advanced" link next to [back to safety] on an SSL error page and so had no option to bypass.  Ultimately I did need to resort to use a different browser.  So perhaps Chrome/60.0.3112.7/dev was broken in some way or for a few builds and so perhaps I'll go back and look.  I know chrome and I know SSL.

Finally, the only reason I started taking about flashing screens and chromakey shit was that I was trying to brainstorm ideas that weren't as radical as to remove the option and bypass and completely restrict access to BADSSL and I wanted to provide some alternatives rather than disallowing it entirely -- something of a compromise or alternatives.  That is secondary and not related to the original problem just a appeasement and an unnecessary derivative of perhaps a non-existent problem.