[hsbauauvhabzb]

So we’re back to trusting the user?

[0l]

Use HSTS, browsers are specifically designed not to let users bypass these.

[hsbauauvhabzb]

Hsts forces encryption, it has no impact on certificate invalidity, at least to my knowledge.

[0l]

Visit your .internal site -> website uses TLS cert signed by root CA that is preloaded on your device. Succeeds and HSTS flag is set.

Visit other .internal site -> uses TLS cert NOT signed by root CA that is preloaded on your device -> certificate error, and cannot be bypassed due to HSTS.