|
Wouldn't that make him a MEME?
"Qulatiy is Job #1"
|
|
|
|
|
I typically run multiple browser windows with multiple tabs, like a lot. I need therapy. Anyway, my customer has implemented some sort of weird firewall. About 90% of the websites I frequent - Microsoft, hardware stores, etc all report in flaming letters
Quote: Your connection is not private
Attackers might be trying to steal your information from www.lowes.com (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
Now I'm fairly certain Lowes.com is fine. All of my browsers do this - Opera, Firefox, Chrome... is there some setting I missed? The common theme is that I only see this when I am inside my customer's network. If I fire up my VPN, there are no issues.
Ideas?
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
Just curious as to why you need access to Lowes.com while working for your customer on your customer's system? Perhaps I did not understand your post.
Perhaps your customer sees you surfing the internet a lot on their network and has restricted non technical sites? Not sure.
|
|
|
|
|
Haha, no. I work from home mostly, and Lowes is just an example.
This happens for many technical sites that I reference in my work. Let's say I need to order hardware - microcenter.com fails, newegg.com fails, newark.com fails. microsoft.com passes, but hilariously bing.com does not.
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
can you have those sites whitelisted?
not sure if black/white lists terms are politically correct these days. Perhaps the "do not block" list?
Every now and then I have to put in a request to have a certain site added to the "okay" list.
|
|
|
|
|
Slacker007 wrote: Just curious as to why you need access to Lowes.com while working for your customer on your customer's system? Perhaps because his wife called and asked "can you pick that up from Lowes?" and he orders it on the website so he can pick it up on his way home?
Or because something happened and he really needs that thing from Lowes asap.
Or perhaps because he has a five minute break and Lowes is his thing.
Or maybe he has a heated discussion with a coworker who is absolutely certain something is not available at Lowes while he is absolutely certain it is.
There are plenty of reasons why a human being would visit the Lowes website during the day when he's awake and behind a computer.
If you want 8 hours of uninterrupted work in which no personal Lowes matters come up, hire a robot instead.
|
|
|
|
|
Is there a proxy on the customer's network?
I have seen this when a proxy exists, and all browsers send their HTTP and HTTPS connections through - if you do this, you have to install a certificate on the proxy. If that certificate does not exist or it is self-signed, you get those kind of warnings.
Which means the "secure" connection is then from local browser to proxy, and the proxy establishes a new secure connection between itself and the actual site. Of course it allows eavesdropping ... anyone with access to the proxy can read all requests/responses in cleartext even if HTTPS. But some companies do this.
|
|
|
|
|
I think you meant to reply to the OP, and not me.
|
|
|
|
|
This... the error is essentially exactly what's on the label.
Their proxy is re-encrypting the traffic and basically acting like a MITM. While it could just pass traffic back and forth, this means that is not what is happening.
Rather, two different certs are being used for the SSL traffic like nepdev2011 described. They have full control over one of them.
It doesn't definitely mean they're picking off the details of your Ashley Madison Lowe's use, just that they could be.
With all the work from home, I'd guess a bunch more people are seeing this error lately as companies work to shore up their security.
|
|
|
|
|
I'm NOT a networking expert so I don't know exactly how it's done, but I do remember some discussions about this sort of thing - I'd say "they" are substituting in their own cert so they can inspect the traffic even though it's encrypted - so you get that warning. In other words, a variation on the man-in-the-middle attack.
That's what I'm guessing is happening based on what you're getting.
|
|
|
|
|
That's what I'm thinking too. Old job did the same, and for whatever reason they could never figure out how to push cert updates to Firefox; so every time they fiddled with their MITM box I had to manually add the certs to my browser.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
nepdev2021's response above (and harvyk0's below) both paint a much better picture than I could as for the how. Seems obvious in hindsight.
|
|
|
|
|
Your client has apparently implemented a policy that eliminates most, if not all, of the trusted root certificates in their systems. It sounds like they're doing this by not allowing certificate chains to be processed at their firewall. My guess is they're either seriously paranoid, or they simply screwed up their firewall.
|
|
|
|
|
I'm going to side on the seriously paranoid, but I do think they screwed something up. I spoke to a coworker, and he has no issue going to several suggestions I gave him. His PC is in the corporate domain. I'm a consultant, so my laptop is not in the domain. There might be some implications there.
Interestingly, I do have a VM that is in their domain, and it still has these errors. When I hear back from IT, I'll follow up this post.
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
They have implemented SSL inspection on their Firewall (or Proxy).
Basically the connection is secure between the website you're visiting and their edge device but they failed to provide you with a copy of the root certificate used by their edge device.
Once you have the root certificate (and you actually trust the customers IT) then you'll cease getting that warning. At the same time however they have effectively man-in-the-middle attacked your connection, so what goes through that connection is a secret between you, the website your visiting, and your customer. Be wary of doing anything you'd actually want security for (eg Internet Banking).
|
|
|
|
|
|
Can it be that the customer's IT department was so busy with doing stuff they can to stop & think about whether they should? I swear, most policies in my company stem from someone eager to make themselves noticed. Meaning making wind.
|
|
|
|
|
Kiriander - not sure why your message would be flagged as spam, CP sent me the email notification. I know this customer is undergoing a couple of changes. There is a push to silo *everything* at corporate headquarters, so if you don't work there, you are rarely in the loop.
They are also paranoid to the extreme, as someone got into their network a couple of years back. They still refuse to talk about it, no details, etc.
Interestingly, the corporate policy is that you must open a ticket to receive IT support. About the only time I get a response on tickets is when I need my account unlocked. Ask a difficult question, and I rarely get a response. My feel is that they are severely overworked or understaffed - same difference. I only know the local folks.
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
We have two things that interfere with our internet at my work. One is our network appliance that caches web pages locally for reuse. And the other is our web filter that blocks unwanted websites. Sometimes the SSL certs get screwed up if you're not logged in properly and that results in what I think you're seeing.
|
|
|
|
|
Essentially they are logging/inspecting all traffic in the middle.
BROWSER -> Proxy/Firewall -> Internat Website
At the Proxy/Firewall side (it could be a IDS, IPS whatever) they are getting the data from the Internet Website, decrypting it, looking at it/storing it/ who knows, then passing the data on.
Now, part of SSL (TLS these days) is not just encryption/decryption, but WHO you are/which websites.
It is 'impossible', for your customer/Proxy to 'be' Lowes.com, so instead they re-encrypt the data with their own Certificate 'customerCA.com' for example, and say it's for the website 'Lowes.com'.
So, the browser knows this, and says, but you went to Lowes.com, but the SSL cert is Signed by CustomerCA.com ... I'm not showing you this website, it's been hacked/broken etc.
What everyone here means about 'installing the customer CA' is, that it's possible, to install 'CustomerCA.com' in a way, that makes it all ok for any website, so then when the proxy Generates new SSL Certificates on the fly/as you browse, for each website, your computer goes... yep, I trust CustomerCA.com, its all OK.... just like it does when it goes I trust LetsEncrypt CA, or VerisignCA etc.
HOWEVER, that being said, I wouldn't install that thing, don't do anything on that connection.
You want to setup your ROUTES on your system, so that only data for the customer's network goes via the VPN, and the rest goes via your 'standard' internet connection.
This way, you get to browse Lowes.com all day long, but still be connected to the vpn, and secure. It tells the PC to go to the VPN for some traffic, and to your standard 'internet' for other traffic.
The simplest way, it to tell the VPN adapter not to be your default gateway, but there are many ways to do this if you cant change it.
<a href="https://pasteboard.co/KiKBxAZ.png">https://pasteboard.co/KiKBxAZ.png</a>[<a href="https://pasteboard.co/KiKBxAZ.png" target="_blank" title="New Window">^</a>]
|
|
|
|
|
When I'm setting my default browser on a new Windows install, I don't need to check out Edge first.
If I'm on that settings dialog I've already confirmed Edge can still download other browsers for me.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, weighing all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
|
|
|
|
|
Irritating, aren't they?
Charlie Gilley
<italic>Stuck in a dysfunctional matrix from which I must escape...
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
As a side note, I tried Edge at work.. and now it's my main browser at home!
It's much like chrome.. but there is one specific feature that I quite like:
It show tabs that make sound / play video with a speaker icon in the tab, an you can click on it to shut them up!
|
|
|
|
|
Super Lloyd wrote: speaker icon in the tab
As you told - just like Chrome (about 3 years)...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
Really?
You cannot stop the sound in chrome, I think.
Indeed I just tried (have the usual mass market chrome, no custom settings no addons), started chrome, went to youtube, clicked on the icon, music keeps playing
In Edge I can! Very good against annoying popup video...
EDIT, oh I see, you have to right click, it's in the context menu! never though of right clicking on the tab until today!
Well it's easier with edge, a single click suffice!
|
|
|
|
|