Being blocked suddenly from uncert'd https sites.

[peteb2]

This is ridiculous in my eyes. Suddenly i can't even get to this website thanks to the employer's new Security deployed by the muppets of the IT dept. It's ok to use Facebook or Tick-Tok God forbid but too bad if i want to do a study refresher on (as example) Digilent's site in my lunch hour... So i got to thinking. Has anyone had this BS dumped on them with no solution forth-coming anytime soon and is there a website that offers modifying a web-address URL you provide & they add a FAKED https certificate so it will appear cos-ha and complaint & i can get back to being able to do my work.... (yes i'm well pissed off).

[jpanhalt]

How about putting that proposition directly to your employer; then quit, if it doesn't meet your demands?

[Ian.M]

https://www.wikihow.com/Use-Google-As-a-Proxy

[janoc]

If your employer is doing this then proxy services are most likely banned/blocked too. Never mind the potential security issues with the proxies (like accidentally sending your credentials to a third party) and exposing yourself to a potential firing offense for attempting to circumvent the policy.

If you have a legitimate interest/need to access the website, ask your IT to have it unblocked. Even though if your IT is this clueless and blocks all non-https traffic for whatever reason (that has to break half of the internet as a lot of things even on https websites are loaded from unencrypted http sources ...), I wouldn't have much hope there.

My previous job had the FortiGuard spyware/censorware forced on us because of sharing the network connection with some government offices which used it. I can feel your pain. But "going outside the channels" and circumventing it is only going to get you fired when (not if) you get caught sooner or later.

[nali]

Yeah we employed a really anal IT manager who stamped his authority on just about everything including the LAN web proxy and it was actively interfering with my job.

So.. I noticed that proxy URL was a script. Downloaded said script which basically selected a different proxy according to country (we were a smallish multinational), so I tried a couple of other proxies and found one which worked OK for me.

Worked fine and I completely forgot about it until same IT manager used my laptop for something we were working on together... I got a mild bollocking 

[sleemanj]

I'm confuised by your post, do you mean that your employer is blocking non-ssl (http) connections (port 80) and only allowing ssl (https) connections (port 443)? 

Thats what it sounds like, but then you complain about "digilent", but like any sensible website in the last 3 or 4 years digilent has a perfectly fine SSL certificate.

[peteb2]

Yes. For what i can see happening a particular connection is completely 'blocked' resulting in a screen splash message "Warning: Potential security Risk" or "Secure Site Not Available". I can't detect actual ports involved on my the PC i use running Win 7 OS & the Firefox browser. I have the "No trackers known to Firefox..." & "Verified by..." icons that are leading the https://www....  (thanks to Firefox). I do not understand why www.diglent.com produces a  "Warning: Potential security Risk" screen!

I fully accept the business needs to be as secure as possible nowadays. Recently high profile Govt. departments (public hospitals) were completely compromised by Ransomware attacks resulting in massive problems so this is why my employer has put this strict setup in place. I would never actively do anything to compromise their new requirements because i like my job!

For now I'll find another way, probably requesting IT to source & provide all needed .pdf datasheets etc for a semiconductor during a bench repair or the newest released flash-update file for a piece of gear.  It will create woeful delays on equipment maintenance/repairs & be terrible for for my work colleagues who needs the gear they use to be doing their work returned quickly...

[sleemanj]

"Warning: Potential Security Risk" is a Firefox warning.  You'd need to see exactly what it was complaining about in the details under that header, it could be something your network is doing (MITM), or it could be your local computer (bad certificate chain store), it could be the remote server (bad certificate).

Digilent uses a Let's Encrypt certificate.  Let's Encrypt's root expired and was replaced (long in advance) in September this year, if your system isn't correctly updated then it may not be able to trust Let's Encrypt certificates and you could see a message like that - https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

You could try a different browser if that is permitted on your system, or advise your IT department so they can investigate.

[rob77]

is SSH allowed ? if yes then buy a cheap VPS somewhere, ssh into it and add a dynamic tunel and use it as a socks proxy in a browser , also tick the "proxy DNS" in your browser.

you're welcome

[Ed.Kloonk]

This is ridiculous in my eyes. Suddenly i can't even get to this website thanks to the employer's new Security deployed by the muppets of the IT dept. It's ok to use Facebook or Tick-Tok God forbid but too bad if i want to do a study refresher on (as example) Digilent's site in my lunch hour... So i got to thinking. Has anyone had this BS dumped on them with no solution forth-coming anytime soon and is there a website that offers modifying a web-address URL you provide & they add a FAKED https certificate so it will appear cos-ha and complaint & i can get back to being able to do my work.... (yes i'm well pissed off).

There's a bit of feather ruffling here in the public transport industry. Bus and train drivers, if they go poop and are missing more than 10 minutes they are required to do paperwork and I don't mean TP, there's a form to fill out to explain why they were missing. The suspicion is they are spending time on FB/Twitter and shitposting (no pun intended). They can't confiscate or disconnect personal devices since the staff have to be reachable. I don't know how to solve the allow-sites-during-lunch-hour problem.

Interesting problem.

[fordem]

There is a very simple solution - if your employer restricts were you can go, and what you can do on company provided equipment over a company provided internet connection (which they have every right to do), use your personal device with your personal data plan.

[RayRay]

Most websites nowadays (including this one FYI) supports HTTPS/SSL, just put https:// in front of it. As for your given situation, if it's really a must, you could more than likely bypass it by using a VPN service or a free proxy site, but I have to agree with fordem, for personal uses, it's best you use your own devices and not work ones. Since a smartphone isn't ideal as a workhorse (due to screen size) I'd say you'd be best using a tablet, or a 13-14" laptop, and you could use your phone a wireless hotspot, so you'd have indepepdent internet access.

Edit: Also, make sure your computer's clock (date/time) is set correctly, might be related to the issue you're facing.

[peteb2]

There is a very simple solution - if your employer restricts were you can go, and what you can do on company provided equipment over a company provided internet connection (which they have every right to do), use your personal device with your personal data plan.

I agree however as i explained, i've been using this internet connection for work-related stuff for the last 10+years. Finding a price for a spare part, module etc... finding a data sheet or even a service update. I've often come here to EEVblog forum & posted a question as to where i might buy a (pictured connector) to ID a component. I even download update files for specific equipments other staff use to do their work with that i commonly do a routine maint on that often includes the need to flash an upgrade on...

If there's a few minutes to kill or i'm on my lunch break i can be found often doing something on the interweb. Read a white-paper on something in the industry or do my own self training tutorial with my purchased by me Digilent training module (already ok'd with the boss).

Then after i returned from 100+days  lockdown & doing WorkFromHome my at work premises workbench PC is basically useless. That's where i was quickly informed that IT have put into place the strict https security cert. setup for the DSL we used o use without any trouble!  You can however use dumb stupid stuff as Facebook & TicTok no problem but almost everything i have previously been using is now unavailable... Even my supervisor has said yip Company new rules, they paid the bucks for special audit on security so you can enjoy the safest internet in the world! It's actually just ridiculous but it's Christmas in a just two days so i'll reschedule my dilemma after the 2week break is done. Oh & to get by the last 3 weeks i have been using my own mobile i pay for & hotspot to my hack PC i installed  an old BT/WiFi board into just to get by. Bit slow though...

[peteb2]

"Warning: Potential Security Risk" is a Firefox warning.  You'd need to see exactly what it was complaining about in the details under that header, it could be something your network is doing (MITM), or it could be your local computer (bad certificate chain store), it could be the remote server (bad certificate).

Digilent uses a Let's Encrypt certificate.  Let's Encrypt's root expired and was replaced (long in advance) in September this year, if your system isn't correctly updated then it may not be able to trust Let's Encrypt certificates and you could see a message like that - https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/

You could try a different browser if that is permitted on your system, or advise your IT department so they can investigate.

I think this is exactly what has happened. I've been dealing with the company security guru in IT whose replies to my rants have been very abstract. He obviously doesn't understand how i have always worked & what i actually do. He's more involved with the office staff that i assume email all day & type data into databases or spreadsheets etc & then go home who spend more time on the company's IntraNet doing mediocre social communication crap. Not the engineering i do...

I will ask him about Let's Encrypt & see what he says (or feigns it's nothing & then suddenly it works again)... interesting!

[mfro]

Why don't you ask your browser about what's the issue really? Click on the (probably crossed out?) lock icon in the URL field and it's supposed to show you what it thinks is wrong with the certificate.

This should give you all the arguments you need to provide a qualified complaint to your IT guys instead of just ranting.

[janoc]

I think this is exactly what has happened. I've been dealing with the company security guru in IT whose replies to my rants have been very abstract. He obviously doesn't understand how i have always worked & what i actually do. He's more involved with the office staff that i assume email all day & type data into databases or spreadsheets etc & then go home who spend more time on the company's IntraNet doing mediocre social communication crap. Not the engineering i do...

I will ask him about Let's Encrypt & see what he says (or feigns it's nothing & then suddenly it works again)... interesting!

If that is what happened then you have a much bigger problem at your company than you think - because you are using woefully outdated browsers. This root certificate has been updated in Firefox over a year ago, long before the offending certificate has actually expired in September.

Digilent's certificate is fine but if your browser has outdated/expired root certificates then it won't be able to validate the Digilent's cert and you will get an error.

[mfro]

Something we often see is perimeter firewalls breaking up the https stream to be able to introspect the contents for malware.
Your browser will then be presented a replacement certificate (often self-signed) from the firewall instead. If your organisation doesn't properly implement a CA (and properly distributes its certificate chain to the clients), you'll see this errors. Easily spotted by inspection of the certificate.

[SiliconWizard]

Yeah, Firefox now prevents from downloading anything if the link is not https (but you can still bypass it.) Whatever it is. Like PDF files.
Fun thing is, many sites all over the world still contain many links that are not https. Including Wikipedia. If, instead of a warning that you can bypass, suddenly all access to non-https stuff was blocked, you'd break probably 90% of the web.

[janoc]

Something we often see is perimeter firewalls breaking up the https stream to be able to introspect the contents for malware.
Your browser will then be presented a replacement certificate (often self-signed) from the firewall instead. If your organisation doesn't properly implement a CA (and properly distributes its certificate chain to the clients), you'll see this errors. Easily spotted by inspection of the certificate.

True but then you would get this error on every https site and not http (unecrypted one). I.e. exactly the opposite of what the OP is complaining about ...

E.g. Fortinet's Fortiguard does exactly this but they have a whitelist of sites where this man-in-the-middle attack is not performed - e.g. some banking sites and such. So you don't get always a broken encryption. But again, this is not what the OP is complaining about.

[janoc]

Yeah, Firefox now prevents from downloading anything if the link is not https (but you can still bypass it.) Whatever it is. Like PDF files.
Fun thing is, many sites all over the world still contain many links that are not https. Including Wikipedia. If, instead of a warning that you can bypass, suddenly all access to non-https stuff was blocked, you'd break probably 90% of the web.

That's not quite true unless you turn on a non-default setting "Https only mode".

[SiliconWizard]

Yeah, Firefox now prevents from downloading anything if the link is not https (but you can still bypass it.) Whatever it is. Like PDF files.
Fun thing is, many sites all over the world still contain many links that are not https. Including Wikipedia. If, instead of a warning that you can bypass, suddenly all access to non-https stuff was blocked, you'd break probably 90% of the web.

That's not quite true unless you turn on a non-default setting "Https only mode".

No no. That's not it. And I didn't enable anything like this lately. It just appeared in the latest Firefox version (95) as far as I've noticed, and the actual reason is there:
https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox

So it's not just non-https links, but non-https links on https pages: "mixed content", as they call it. I had to dig a little deeper to get to this.
But mixed content is extremely common.

[PKTKS]

This is ridiculous in my eyes. Suddenly i can't even get to this website thanks to the employer's new Security deployed by the muppets of the IT dept. ...

Answered that on another post few seconds ago..

Pissed ?  Instal a socks gateway system wide..

https://www.inet.no/dante/
http://ftp.de.debian.org/debian/pool/main/t/tsocks/


tell them to fuck off from your life..

Enough having goo and fecybu  monitoring our lives..

fuck them off
Paul

[janoc]

No no. That's not it. And I didn't enable anything like this lately. It just appeared in the latest Firefox version (95) as far as I've noticed, and the actual reason is there:
https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox

So it's not just non-https links, but non-https links on https pages: "mixed content", as they call it. I had to dig a little deeper to get to this.
But mixed content is extremely common.

That would not prevent you from actually visiting a non-https website. That blocking only affects e.g. scripts or images that are loaded into a secure (https) site using non-secure (unecrypted, http) sources (a poor practice). So at best your website would have some broken content (typically ads).

It has also nothing to do with links but content that is loaded automatically - i.e. not stuff that you must click on to load - images, scripts, AJAX requests, CSS styles, etc. You can still visit even a http site linked from a https one without issue.

[janoc]

This is ridiculous in my eyes. Suddenly i can't even get to this website thanks to the employer's new Security deployed by the muppets of the IT dept. ...

Answered that on another post few seconds ago..

Pissed ?  Instal a socks gateway system wide..

At work, on employer's equipment. Yeah right, what a good idea! (assuming you even have the necessary privileges to begin with).

tell them to fuck off from your life..

Enough having goo and fecybu  monitoring our lives..

fuck them off
Paul

I guess you don't need a job, do you?

[PKTKS]

At work, on employer's equipment. Yeah right, what a good idea! (assuming you even have the necessary privileges to begin with).

There are at least a half dozen ways to do that ...
You do not need specifically to "use" the corp. equipo..

As long as you have access to an account and can route traffic..

You just payload (tunnel) your socks gateway over it..

No big deal
Paul