Jump to content

Frequent Untrusted Certificate Popups in Last Week


Recommended Posts

In the last week, or perhaps slightly longer, I've been getting a semi frequent popup from Eset Internet Security regarding an Untrusted Certificate. It's not happening on all secure sites, but on a few. All the alerts I have been getting so far have come from the same Root CA, so I assume it must be something to do with that single Root CA.

I also would like to note that I found a recent posting about a similar problem with untrusted certificates and I tried the suggested fix of disabling Eset's SSL scanning, rebooting, and then re-enabling and rebooting again. This did not resolve my issue as I believe the two problems, while sounding similar, are completely different.

I've attached pictures to show what I'm getting:

  • Image #1 is the popup I'm getting stating that Firefox is trying to communicate over an encrypted channel with an untrusted certificate.
  • Image #2 is the certificate Information (Why is the validity date range so short?)
  • Image #3 shows the certificate path as well as it's status
  • Image #4 shows the actual certificate details

It would appear that the reason I'm getting this popup is because the certificate is not installed in the Certificate Store. Is this safe to do, and if it's an OK certificate, why is it not already installed? I guess I need a little guidance to what exactly is going on here, and why out of the blue this has started happening.

 

1-Certificate popup.JPG

2-Verified.JPG

3-Path.JPG

4-Certificate.JPG

Edited by FeMaster
Link to comment
Share on other sites

That Cisco root CA certificate is not installed in my Win 10 x(64) 1803 Windows root certificate store.

Both IE11 and Edge use the Windows root certificate store for validation. Chrome and I believe FireFox use their own root certificate store's for validation. I really don't know why the URL noted in your screen shot would be validating to Cisco Umbrella certificates. If this is some necessary communication you need, the only way to allow it would be to import the Cisco Umbrella root certificate into Firefox's root CA certificate store.

What I do know is that for the URL, tse1.explicit.bing.net, the correct certificate chaining path is:

*.explicit.bing.net  -> Microsoft IT TLS CA 5  ->  Baltimore CyberTrust Root   

Per QUALS SSL Server lookup test: https://www.ssllabs.com/ssltest/analyze.html?d=tse1.explicit.bing.net

So it appears your browser is being hijacked. Or there is possible man-in-the-middle activity either originating from your PC, internal network, or in the external network routing.                                                                                                                                                      

Edited by itman
Link to comment
Share on other sites

OK, this sounds wonderful. I've tried the same address through all 4 browsers (Firefox, Edge, Internet Explorer, and Chrome) and all of them lead to a warning page that there is a problem with the pages certificate.

So, I guess I need to ask now, where do I go from here? This is my first time ever getting any type of infection or whatever this would be considered. I know a fare bit about computers and networks, but not so much about certificates and the like. I checked to see if there was any type of proxy settings set on my PC, but all appears clear there. Any advice going forward?

Link to comment
Share on other sites

  • Most Valued Members

Is there any suspicious device in your network that doesn't belong there?, your WIFI is secure right?

You can check installed certificates in Firefox , Options>Privacy&Security>Certificates>View Certificates , see if you could find the SSL certificate over there.

Edited by Rami
Link to comment
Share on other sites

11 hours ago, FeMaster said:

So, I guess I need to ask now, where do I go from here?

Is this a PC used at work?

Cisco Umbrella is a SSL protocol scanner similar to that included in Eset. It most likely would be installed on a Cisco perimeter network appliance.

Quote

Without the root certificate, when your users go to that service, they will receive errors in the browser and the site will not be accessible.  The browser, correctly, will believe the traffic is being intercepted (and proxied!) by a 'man in the middle', which is our service in this case.  The traffic won't be decrypted and inspected; instead, the entire website won't be available.

Ref.: https://support.umbrella.com/hc/en-us/articles/115004564126-SSL-Decryption-in-the-Intelligent-Proxy

-EDIT- The bottom line is whatever network you are connecting to when these Eset alerts are appearing is attempting  to scan all your Internet traffic. If this is occurring at your workplace, this would be the norm. You will just have to live with the alerts. You do not want to add the Cisco Umbrella root certificate to your Firefox root CA store.

Edited by itman
Link to comment
Share on other sites

15 hours ago, Rami said:

Is there any suspicious device in your network that doesn't belong there?, your WIFI is secure right?

Nothing suspicious or out of the ordinary, WiFi is is VERY secure. Neither Eset nor my router indicate any devices on the network that should not be there.

8 hours ago, itman said:

Is this a PC used at work?

Cisco Umbrella is a SSL protocol scanner similar to that included in Eset. It most likely would be installed on a Cisco perimeter network appliance.

Ref.: https://support.umbrella.com/hc/en-us/articles/115004564126-SSL-Decryption-in-the-Intelligent-Proxy

-EDIT- The bottom line is whatever network you are connecting to when these Eset alerts are appearing is attempting  to scan all your Internet traffic. If this is occurring at your workplace, this would be the norm. You will just have to live with the alerts. You do not want to add the Cisco Umbrella root certificate to your Firefox root CA store.

Not a work PC, it is a home PC. I'm trying to piece this all together here, and I may have come across a possibility of what is going on, but it's going to take a bit a finagling on my end to determine for sure.

Back story is, I recently (within the last couple months) replaced an aging Asus router with a Synology RT2600ac. This has worked perfectly since it was installed, no issues at all. Synology recently pushed a firmware update that MAY coincide with the issues I am having, but I can't recall on the timing of it all to be sure at this point. In the latest update, they removed the typical parental controls that I was used to which were very similar to those on my old Asus router. They now have a package in the router called Safe Access which is like parental control on steroids. I'd say it's a bit closer to a business class type of malware detection / web filtering / access control.

One other issue I am having that I just stumbled on, which leads me to believe that the culprit here may just be the router, is that with Safe Access enabled in the router, there is an issue with DNS servers, which has lead to a fair bit of complaining over on their support community. I'll give you my scenario, and perhaps you can give me your opinion on it.

My setup has been, for a long time now, that in my router I have Open DNS specified as the DNS provider the router should use (which coincidental, or not, is now a part of Cisco; it might just be an Open DNS problem, hmmm). This helps me to filter out the majority of sites that I don't want my children going to. In my own PC I have the DNS specified as Google servers (8.8.8.8 and 8.8.4.4), which would of course bypass the Open DNS filtering just for my PC. Ever since the changes made by the Synology Router update and the addition of this Safe Access instead of standard parental controls, the DNS I have programmed into my PC is being ignored and all DNS quarries are going out through the Open DNS that is set in the router. Apparently this is a known issue at this point, and is supposed to be corrected down the road. Disabling Safe Access makes the DNS function as one would expect. I'm not sure how the Safe Access can fully override the PCs DNS settings, but it does.

Just had an epiphany typing this up. The issue with Safe Access forcing all my DNS quarries to go through Open DNS (a Cisco company now) could be why I just recently started seeing this issue about these Cisco Umbrella certificates. Before this DNS issue, my PC was making all it's look-ups through Google, like I have it set to do, but Safe Access is somehow overriding this, forcing the PC to go through Open DNS now.

If I can get some time this evening, I'm going to try some of these trouble prone sites with Safe Access disable, and possibly with the PC plugged directly into the modem completely eliminating the possibility of any interference from the router or anything else for that matter.

Thanks for all your incite so far!

Edited by FeMaster
An epiphany
Link to comment
Share on other sites

OK, while I was typing up that last reply, something interesting popped up on me that I have never seen before this point. Eset was complaining about it's own certificate being untrusted, any ideas on this one?

 

1-Certificate popup.JPG

2-Verified.JPG

3-Path.JPG

4-Details.JPG

Link to comment
Share on other sites

1 hour ago, FeMaster said:

Eset was complaining about it's own certificate being untrusted, any ideas on this one?

Eset is stating that verification of the certificate for your router manufacturer, it appears,revocation status couldn't be verified due to the inability to connect to the certificate revocation status server.

Normally, this status checking is done by Eset servers since Eset is performing SSL protocol scanning. Eset would also perform the certificate chaining status check. Really never seen an alert like this where the cert. chain couldn't be verified. My best guess is the Eest alert is originating from what it found from this Safe Access software you are using on the router.

Personally, I would be extremely leery of using any router based software performing man-in-the-middle SSL protocol scanning activities. Eset does have a Parental Control feature that can be used.

Edited by itman
Link to comment
Share on other sites

Thanks again itman.

I've played around with different configurations and believe that the trouble stems from the combination of using the Safe Access package on the router and having Open DNS set as the DNS server in the router.

I found a site that I could consistently get the certificate notification to pop up on, then went through every combination of setting I could up with, clearing the browser cache and closing and open the browser between every test. When disabling the Safe Access package, no certificate warning, using Open DNS, no warning, using Safe Access with my ISPs DNS, no warning, Safe Access with Google DNS, no warning. Set everything back the way it was and the warnings were back.

Safe Access and Open DNS by themselves work fine, but in combination, there is something that must be clashing with the other and causing all the headaches I've been having.

In conclusion, not an Eset Problem... Case closed!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...