=============================================================== From: Ryan Macy ------------------------------------------------------ If it works anything like DoD certs and if I understand what you're saying correctly, I think chrome is just complaining because your department isn't a ca authority and has self signed certs. They should have a resource with their root certs so you can add them as an authority. Chrome will at times completely prevent me from logging into DoD/Army resources because of this certification issue. Once I add them as a root ca everything is good. Ryan Macy From: Eric Wolf Reply-To: CHUGALUG Date: Thu, 26 Jan 2012 09:50:14 -0700 To: CHUGALUG Subject: [Chugalug] Detecting HTTPS MiM
=============================================================== From: Dan Lyke ------------------------------------------------------ On Thu, 26 Jan 2012 09:50:14 -0700 Eric Wolf wrote: Manually compare the SHA fingerprints of the same certificates of both? Preferences->Under The Hood->Manage Certificates. View one, write that down, take it home, manually compare? Dan
=============================================================== From: Joe Freeman ------------------------------------------------------ If there's a Layer 7 firewall in the path that's doing ssl interception (something like the Palo Alto Networks devices), it can cause this as it attempts to proxy the far end's certificate during the ssl handshake. Doing this allows the device to execute a man-in-the-middle attack on the ssl stream to see what's happening in the encrypted session. The Palo Alto devices can do this with SSH sessions too. Joe
=============================================================== From: Eric Wolf ------------------------------------------------------ Ryan: It's not just DOI sites. I deal with their CA issues all the time. I'm talking about things like using SSL for GMail. Dan: That sounds like the best way to check it out. Fortunately, I can actually do the comparison from my office by using my VPN into my home machine. Whatever is going on doesn't appear to affect ssh. Joe: That's exactly what I suspect is happening. DOI has an insane number of firewalls between me and the rest of the world. Even my server, navigator.er.usgs.gov, is stuck behind a stateful-inspection firewall. That's a real PITA because I'm running one of the first Ruby on Rails apps on that network so I'm having to constantly get the rules rewritten. -Eric -=--=---=----=----=---=--=-=--=---=----=---=--=-=- Eric B. Wolf 720-334-7734
=============================================================== From: William Wade ------------------------------------------------------ I've always wondered why you can not just visit the website of an SSL cert provider and provide the given cert and have it tell you if it was valid.
=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sure, inspect the certificate (and fingerprint) you get at home and compare that to what you get in the office. Most of the boxes I have seen that do this present a different certificate (with the cert usually forced into the machine via GPO), so the machine itself will trust the certificate, but be unable to validate. SSL isn't really what it used to be these days.... I tend to to most of my surfing across SSH or IPSec tunnels whenever I'm not on a network I control... and then of course, run HTTPS anyway, just in case :) Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8hmaMACgkQABP1RO+tr2T6nwCcCv82BOgO2gsvnA7kQjEOONuf 944AoIJdsFrloKAUofqfKm0ax5lZHeLu =N/k2 -----END PGP SIGNATURE-----