[weedfroglozenge]

I'm glad I saw this comment - What can make a site perform like that?

At work we use Chrome as our general browser, and we've had several issues with expired certs before. Some websites allowed you to expand the box and opt "Continue" but some simply didn't have the option. Whats the difference?

[bmcahren]

HTTP Strict Transport Security (HSTS) is enabled at the DNS level which tells modern browsers "I'm a modern website and want to only be served on valid certificates, otherwise refuse to allow access to my website because something must be very wrong for this to happen".

The assumption is "must be very wrong" is an attack you don't want people to "continue" past. Occasionally it bites back like this if you don't maintain your certificates.

Offering HTTP transport invites attackers to inject advertisements, malware, or viruses into your packet stream. ISP like comcast and ATT are notorious for doing this.

Allowing falsified or expired certificates invites attackers as well.

HTST This is a good thing.

[Dylan16807]

DNS? You announce it with a header or get on the preload list. I don't think there's a DNS method.

[dagenix]

Yeah, there is no DNS mechanism. Although, IIRC, it is possible to place an entire TLD on the preload list - which still doesn't use DNS, but its a mechanism to enable HSTS where the website itself doesn't do anything.

[eropple]

Sites can opt into "do not let somebody continue if the cert is bad" via HSTS.