Your connection is not private

ggidd · ‎01-20-2017

Greetings.

Yesterday I configured OpenDNS and finally got it working when I turned off SecureDNS in Avast! pro. Now, though, when I try to access some sites with https such as https://news.google.com and https://www.facebook.com with Google Chrome, Internet Explorer 11 or Microsoft Edge, I get the message

Chrome:

Your connection is not private

Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID

IE

Certificate Error: Navigation Blocked

There is a problem connecting securely to this website.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

You should close this webpage.

Click here to close this webpage.

More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.

For more information, see "Certificate Errors" in Internet Explorer Help.

I have run the OpenDNS diagnostic tool, but the results don't mean much to me.

Is this a common problem? How shall I proceed to be able to access unblocked sites?

Terabyte · ‎11-18-2017

Then with what you're saying I can create a root cert and just let everyone have access to my certificate authority server and call it a root certificate. That's beyond illogical. If Cisco can't get their root cert distributed by at least one of the major OS vendors then it's not a real root cert, it's an internal cert being distributed to anyone who wants it. There's a very real difference. In point of fact, since there's no way to verify the legitimacy of the cert since it's not coming from a trusted root authority that's a potential security risk.

rotblitz · ‎11-20-2017

What about raising your concerns with Cisco/OpenDNS instead of discussing it to death with other users like me? This is fruitless. Nobody here can speak for Cisco/OpenDNS.

Your initial question was: "to access https sites, I'm going to have to install this cert on any system that uses my network?". This has been answered. Again, the summary of the answers is: No, you don't have to install this cert, especially not to access HTTPS sites. You cannot access these HTTPS sites anyway, because you have them blocked via your dashboard settings, so that they cannot be accessed, exactly as you intended. You have achieved what you wanted. Non-blocked HTTPS sites can always be accessed as usual, without ever using this cert.

Your other later concerns are pretty out of scope and unrelated to the topic, to my opinion.

Terabyte · ‎11-20-2017

I simply replied to your assertions. If you don't want a reply, don't post one.

Anonymous · ‎02-18-2020

I am @tubaornottuba on this one -- The Cisco Umbrella Root CA is not trusted by Windows. Per the referenced OpenDNS KB, yes, we could publish the Root CA via GPO to all Windows machines, but that would not resolve the issue with Macs, Linux/Unix, and non-employee machines, such as guests/vendors.

Cisco should work with the OS vendors to ensure that their Root CA gets automatically trusted. With that said, I have not yet looked into why they haven't done that since this thread (late 2017).

rotblitz · ‎02-18-2020

If you implemented the cert on a Mac or Linux machine, it will help too, not on Windows machines alone.

Anonymous · ‎02-18-2020

309368103 That would be correct, but it's an additional step an enterprise would have to implement through device management tools. It also would present a problem for guests/vendors coming to visit our sites. I see your point about the sites being blocked anyway, but the unfriendly "site is not trusted" warning before they see the Umbrella page is not very user friendly nor does it make the host company (us) look professional.

Ideally, when a user visits a blocked site (such as media.netflix.com -- not a porn site), they would be sent straight to our company's Umbrella page where they get to enter in a Bypass Code, as an example.

The simplest solution would be for Cisco to contact the various OS vendors and have their Root CA published to the operating systems so they are automatically trusted. The fact that Cisco doesn't seem to have done that since 2017 tells me that either Cisco got lazy or the OS vendors aren't trusting Cisco's certs (which I am currently in the process of researching to see if that is indeed the case.)

rotblitz · ‎02-18-2020

Thanks for letting us other users know and for sharing your opinion. Now life goes on, and we too.

Anonymous · ‎02-18-2020

For those curious, after some research, here is why Cisco's Root CA is not trusted by operating systems... This article explains it well: https://vinoshipper.freshdesk.com/support/solutions/articles/9000179931-your-connection-is-not-private

Basically, Cisco’s Root Umbrella CA cannot be trusted because 1) it does not adhere to strict guidelines of when a Root CA can be trusted publicly, and 2) a Root CA cannot be trusted whose chain’s sole purpose is to spoof other domains like a Man-in-the-middle attack (as explained in the above URL).

After configuring OpenDNS, cannot access https sites

Your connection is not private