Skip to content

Whitelisting “Unsecure” Websites in Recent Versions of Chrome for macOS

May 15, 2017

The latest versions of Chrome (from v57 forward I believe) perform extra checking on websites. This may lead you to encounter “Your connection is not private” and “NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED” warnings when visiting sites that are known safe.

Example:

ERR_CERTIFICATE_TRANSPARENCY_REQUIRED

What generates the alert is that not all companies (mine included) implement our web certificates the way Chrome now expects. Something to do with Chrome and OpenSSL using different trusted root CA’s which makes the trust chain slightly different. To be fair, Chrome now checks this to prevent spoofing and MIM attacks, but it results in false errors and causes Chrome to stop offering to store passwords. Annoying.

Googling how to stop these errors yields many red herrings but few actual results. For example, Chrome v53 did this to many users but v54 fixed it, and you’ll trip over this while searching, as well as Android and Linux posts that don’t help. This post is my attempt to document the actual solution for others who are searching for it.

To whitelist a domain in Chrome, ensure the com.google.chrome.plist file in /Library/Preferences contains:

<key>CertificateTransparencyEnforcementDisabledForUrls</key>
<array>
  <string>[your.domain]</string>
  <string>[your.domain2]</string>
  <string>[your.domain3]</string>
</array>

You can put as many or as few entries in the array as you like.

Note: Before you try to view com.google.chrome.plist, be aware it is in binary mode. Use this command to convert it to human-readable format:

plutil -convert xml1 com.google.Chrome.plist

The AuthNegotiateDelegateWhitelist key should be persistent and survive Chrome updates. The plist conversion to xml will not.

Advertisement

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: