01-20-2017 06:55 AM
Greetings.
Yesterday I configured OpenDNS and finally got it working when I turned off SecureDNS in Avast! pro. Now, though, when I try to access some sites with https such as https://news.google.com and https://www.facebook.com with Google Chrome, Internet Explorer 11 or Microsoft Edge, I get the message
Chrome:
Attackers might be trying to steal your information from www.facebook.com (for example, passwords, messages, or credit cards).
There is a problem connecting securely to this website.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
You should close this webpage.
Click here to close this webpage.
More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
For more information, see "Certificate Errors" in Internet Explorer Help.
I have run the OpenDNS diagnostic tool, but the results don't mean much to me.
Is this a common problem? How shall I proceed to be able to access unblocked sites?
01-20-2017 09:08 AM
I resolved this by installing the Cisco_Umbrella_Root_CA certificate.
01-20-2017 10:08 AM
Well done! Here is the related KB article.
10-27-2017 08:38 AM
Yes, where exactly is the SHA 256 Fingerprint for the Cisco Umbrella Root CA?. This certificate shows as, "Not Verified" on my iOS device.
Apple's website has a different fingerprint and serial number than the one shown in the "Cisco Umbrella Root CA" certificate.
Without a published Fingerprint hard to trust.
10-27-2017 09:38 AM
Here's the SHA1 fingerprint:
c5 09 11 32 e9 ad f8 ad 3e 33 93 2a e6 0a 5c 8f a9 39 e8 24
10-27-2017 09:45 AM
Thank you. Is this posted on the site somewhere or is it from your copy of the CA?
Can you explain what all of these warning messages mean? Am I giving Cisco access to all the data I send while browsing?
There is another setting in iOS under Settings>General>Certificate Trust Settings: Enable Full Trust For Root Certificates
The Cisco Umbrella Root CA is listed here with a slider to enable or not. Should we enable?
11-06-2017 12:03 PM
"Is this posted on the site somewhere or is it from your copy of the CA?"
This is from the certificate itself.
"Can you explain what all of these warning messages mean?"
You may want to raise a support ticket with OpenDNS if you are concerned. We other users can hardly help you further. We are generally in the same situation like you as user.
11-17-2017 02:56 PM
So wait, let me get this straight, to access https sites, I'm going to have to install this cert on any system that uses my network? So when a guest comes to my house I have to hit them at the door with: Dude, you have to do this to use my WiFi? Come on, how's that even remotely logical??? I cannot imagine why anyone would even consider using this service if you have to do that.
11-18-2017 06:50 AM
"to access https sites, I'm going to have to install this cert on any system that uses my network?"
No, in no way! This browser certificate warning only appears if you attempt to visit a HTTPS site where you have the domain blocked with your OpenDNS dashboard settings anyway. You simply can also accept or ignore this browser warning instead of installing the CA cert. It's up to you. The warning does never come up if you visit a HTTPS site normally where you did not block related domains.
It seems you didn't read the KB article https://support.opendns.com/hc/en-us/articles/227987007 at all.
11-18-2017 06:55 AM
So you're telling us that Cisco cannot afford to buy a real cert to do this? For businesses using this how does that not cause TONS of confusion on networks such as guest access WiFi?
11-18-2017 08:12 AM
I see, you still did not read that KB article, else you would have seen that you can download the real cert bought by Cisco from there. Also, why are you concerned? These domains which you access with HTTPS are blocked anyway by your settings, independent of if you get an OpenDNS block page or a browser warning. You have achieved what you are looking for, that the domain is being blocked and you cannot access it. That was the goal and purpose.
11-18-2017 08:21 AM
Actually Rotblitz, I did. This is NOT a real cert. A real cert would be issued by a root cert provider such that users don't have to install them manually. Imagine having to download a cert for every HTTPS site, say your bank, Amazon, Google, etc..??? Users would NEVER do that. There's a reason why legit sites use real certs that don't require manual interaction.
What you don't get is users get confused, frustrated, and contact who's ever in charge of the network about errors like this. In a large business where certs can be deployed to users by group policy that's simple, but for a small business with a guest WiFi network, those guests are going to get errors and are going to pester the employees about the issues. Why can't they buy a legit cert from a legit provider like Verisign or if they're too cheap, just get one from one of the super inexpensive SSL providers like RapidSSL or GoDaddy?
11-18-2017 09:26 AM
Ok, you might have read it, but you clearly didn't understand it.
"This is NOT a real cert."
The cert is issued by a CA root cert provider. Cisco is such a certified provider, since ions. Didn't know?
"Imagine having to download a cert for every HTTPS site"
Agreed, a nightmare! Good that this is not needed at all. Why do you think you have to download certs for every HTTPS site? Not at all! Why would you download a cert for a HTTPS site you don't want to have visited and therefore have its domain blocked at the dashboard? No need! It would be nonsense to do so. The domain is being blocked anyway.
"guests are going to get errors and are going to pester the employees about the issues."
LOL, very unlikely. If you were a guest and attempted to visit youporn.com, would you complain with your host or the employees that you couldn't access youporn.com, because you got a browser warning "Your connection is not private"? Hardly! Else you are extremely courageous. (Well, after what you said, I could really imagine that you did it this way, not being aware of the reputation loss.)
"Why can't they buy a legit cert from a legit provider like Verisign"
I see, you didn't get that this cert is legit, and they are a provider like Verisign, and that this symptom would be for any certificate, no matter which one, also from Verisign. I give up. You don't want to understand. It is your right in a free world to not understand. Be it!
11-18-2017 09:33 AM
If it were a real root cert there would be NO need to download and install it. That's how root certs work. When you want to have a conversation about SSL certs, chaining, and non-root certs let me know, I'll be happy to explain them. Until then, this is a jury rigged solution. Also, when you spend 16 hours a day providing IT support let me know and we'll talk about what errors users bring to the powers-that-be. Until then, have a nice day.
11-18-2017 09:59 AM
No, I only spend 8 hours per day with ICT, since 35 years. Probably not enough...
As I said, it is your right to not understand. I accept and tolerate this.
"If it were a real root cert there would be NO need to download and install it."
Fully correct, you say it. There is no need to download and install it. And it is a real root cert, but not published in the bundle of root certs by Microsoft, Apple, Google, etc. It wouldn't make sense to publish it this way, with "only" 2% of the internet users using Cisco/OpenDNS services. This "small" amount wouldn't justify to propagate it to every device in the world.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide