“chrome://flags/#allow-insecure-localhost” - Is it secure? How to enable it on chrome?
I have just stumbled upon what is a very helpful flag in chrome (for developers): chrome://flags/#allow-insecure-localhost
The flag is described as: Allow invalid certificates for resources loaded from localhost.
Allows requests to localhost over HTTPS even when an invalid certificate is presented. – Mac, Windows, Linux, Chrome OS, Android Having always had to generate self signed certs for multiple services this is great, but it begs the questions - is this secure? Is this secure to leave on all the time?
If this is not secure what are the attacks possible?
It's most likely fine. There are a few situations in which you want to communicate with localhost using HTTPS - such as running a local webserver for web development purposes or some other service that offers a web interface.
The way to do it "properly" is to generate a self-signed certificate, set up your web server to use that certificate, and then manually import that certificate as a trusted certificate. This is a tedious process, and in order to remove this friction, browsers give you the option of pretending like https://localhost is sending some trusted certificate, even though it's not.
So is this secure? That depends on your threat model. For day-to-day browsing activities, you'll likely be fine. It's difficult for an attacker even in your local network to impersonate localhost, since it's written directly in your hosts file, which on most setups has higher priority than DNS - which means even with a compromised DNS server, connections to localhost still would not be redirected to the attacker.
So why is this not the default if it's most likely secure? Because it's not the "expected" behavior of a browser. The expected behavior is that upon connecting to a host using HTTPS, the certificate is validated and the connection is refused if the certificate is invalid. You as end-user have to make a conscious decision to change this behavior and allow this exception.
So when would this be insecure?
When would it actually pose a threat? To be honest, I struggle to think of an example that isn't completely contrived. Strange hostname resolution configurations in which localhost would be resolved via DNS and spoofed to be some host other than 127.0.0.1 would come to mind, but that is a very unlikely scenario, and one in which the user has to go out of their way to configure their system to be vulnerable. However, I don't want to say "it is perfectly fine in every possible setup", since there is always a chance I am missing something.
How to enable chrome: //flags/#allow-insecure-localhost on chrome? you might want to jump over to the beta branch of your browser. That, however, isn’t really necessary as there is indeed another way to enable the allow-insecure-localhost flag on Chrome. The steps for this have been given below:
- 1. Launch ‘chrome://flags/#temporary-unexpire-flags-m87’ from address bar
- 2. Set to Enabled
- 3. Restart Chrome
- 4. Launch ‘chrome://flags/#allow-insecure-localhost’
- 5. It will be visible now, so simply enable it
- 6. Restart Chrome again
Answer (1)
The "chrome://flags/#allow-insecure-localhost" feature in Google Chrome allows developers to test local websites using HTTP instead of HTTPS without facing security warnings. Enabling it is generally safe for local development environments but could pose risks if used in production. To enable it:
- Open Google Chrome.
- Enter "chrome://flags/#allow-insecure-localhost" in the address bar and press Enter.
- Find the "Allow invalid certificates for resources loaded from localhost" option.
- Select "Enabled" from the dropdown menu.
- Relaunch Chrome to apply the changes.
Remember to use this feature responsibly and exclusively for development purposes.