Web site security certificate issues vs. browsers
Matthew Flaschen
matthew.flaschen at gatech.edu
Sat Jan 19 03:22:23 UTC 2013
On 01/18/2013 05:20 PM, MR ZenWiz wrote:
> I just had an interesting two days at work unable to view my gmail due
> to certificate problems. I bring this up here because the same
> problems do not occur on my Windows laptop.
>
> On my desktop, which is Xubuntu 12.04, I routine ran into "untrusted
> certificate" issues whenever I was trying to access any of the secure
> Google sites, including gmail. In Chrome, this is fatal because for
> whatever reason, Chrome does not allow the user to override such
> concerns (/they/ know better than the users...). Firefox (and
> SeaMonkey) however both allow this to be overridden.
This is likely because your office is conducting a man-in-the-middle
attack on your traffic. This works as follows:
1. They intercept all your SSL traffic to monitor and possibly log it.
2. Since they don't have e.g. Gmail's real SSL private key, they resign
it with their own private key.
3. Since Chrome knows it's an untrusted key, they warn you.
Some offices at least acknowledge they're doing this and provide the SSL
key used for interception. Most likely, this key is pre-installed on
your (work-issued?) Windows laptop.
Matt Flaschen
More information about the ubuntu-users
mailing list