On Sun, 11 Apr 2021 12:51:13 -0300 Eduardo M KALINOWSKI <edua...@kalinowski.com.br> wrote:
> On 11/04/2021 11:25, Celejar wrote: > > I feel silly for not being able to figure this out. > > > > I can't connect to torproject.org via either Firefox or Chromium. The > > browsers object that HSTS is in place and they don't recognize the > > site's certificate (SEC_ERROR_UNKNOWN_ISSUER). There's no opportunity > > offered to add an exception. > > > > I've seen these threads: > > > > https://support.mozilla.org/en-US/questions/1201504 > > https://superuser.com/questions/1066863/how-can-i-add-a-certificate-exception-for-an-hsts-protected-site-in-firefox > > https://support.mozilla.org/en-US/questions/942924 > > > > But I don't see any good suggestions for fixing this in my case. I have > > a pretty standard Debian installation, with standard certificates > > installed, and no customization to my local certificate infrastructure. > > I'm connecting via Verizon FioS, with no proxy in use (on my end, at > > least). > > There seems to be to issues: > > - The certificate issuer is invalid > - Since the site uses HSTS[0], the browser does not allow the user to > override the certificate problem. > > [0]https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security > > HSTS doesn't really seem to be problem. It just tells the browser that > https is to be used at all times. If there's a certificate error, that > means that TLS is being used. > > The real question is then why is the issuer considered invalid. I can > access the site normally and it uses a Let's Encrypt certificate, which > should be trusted, and should be used by many other sites. > > What happens when you try to access https://letsencrypt.org/, which is > signed by the same CA? It connects fine. And you've just given the the clue to figure this out: on my system, the certificate is issued by Cisco Umbrella, not Let's Encrypt! The problem seems to be that I have OpenDns Family Shield configured at the router level, and it blocks Proxy/Anonymizer sites by default. (OpenDns was purchased by Cisco and rebranded as Cisco Umbrella: https://umbrella.cisco.com/opendns-cisco-umbrella.) I'm pretty sure that it used to just return an OpenDns page instead of the requested one, but now I guess it's doing something sneaky by returning its own version of the requested page, signed with its own certificate :| (I confirmed that I have the same problem accessing openvpn.net) Thanks! Celejar
