topic Re: Putting PA SSL decrypt certificate in other people in chrome in General Topics

Putting PA SSL decrypt certificate in other people in chrome

MP18 — Sat, 26 Jan 2019 18:45:59 GMT

i found that my PA cert for ssl decryption is under other people in chrome not in trusted root on one of computers.

still i am able to access websites where ssl decryption is enabled

any thoughts?

Re: Putting PA SSL decrypt certificate in other people in chrome

Remo — Sat, 26 Jan 2019 20:45:04 GMT

Are you able to access any website? Does a cert warning show up or does it work as expected? Or are just the websites working where you already ignored the cert warning?

Re: Putting PA SSL decrypt certificate in other people in chrome

MP18 — Sun, 27 Jan 2019 00:18:14 GMT

i tested some websites i can not access at all tried few times they all have below message

i get error message

privacy error

your connection is not private

cert had warning it shows for example

issue to linkedin.com

issued by 10.1.20.1 -----------PA cert

Your connection is not private

Attackers might be trying to steal your information from www.linkedin.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

Help improve Safe Browsing by sending some system information and page content to Google. Privacy policy

ReloadHide advanced

***********************************

then website which opens up it also has cert warning not secure

issued to bmo,com

issued by 10.1.20.1

but webpage opens up with scrambled characters.

why some web sites does not open at all and some open up with not proper displays?

Re: Putting PA SSL decrypt certificate in other people in chrome

Remo — Sun, 27 Jan 2019 11:36:36 GMT

There are now more than one problems that lead to your situation:

If the root CA cert is not in the trusted root store, then it is normal, that you are able to connect to some websites when you ignore the cert warning
Websites that partly work is probably because you ignore the cert warning for the main page, but because javascript, css, images, ... are pulled from other domains you can't see the cert warning and so cannot ignore it and the connection fails
If you were connected once successfully (without decryption) to websites that have HSTS (https strict transport security) configured, then your browser will store this header locally. When you connect again to such a website and the HSTS entry did not time out, then as described in HSTS RFC the browser is not allowed to give you a possibility to ignore the warning --> rhe connection fails completely

Re: Putting PA SSL decrypt certificate in other people in chrome

MP18 — Sun, 27 Jan 2019 18:00:14 GMT

Thanks for reply back

For

2>Websites that partly work is probably because you ignore the cert warning for the main page, but because javascript, css, images, ... are pulled from other domains you can't see the cert warning and so cannot ignore it and the connection fails.

For above I tested for e.g website bmo.ca i get warning

This server could not prove that it is www1.bmo.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to ww w1.bmo.com (unsafe)

for this website i ignore the warning for main page and proceed so this works fine.

This part i got it.

When you say but because javascript, css, images, ... are pulled from other domains you can't see the cert warning and so cannot ignore it and the connection fails

does this refer to websites where i do not get cert warning and there is no option for me to click on proceed ??

3>for

when you connect again to such a website and the HSTS entry did not time out, then as described in HSTS RFC the browser is not allowed to give you a possibility to ignore the warning --> rhe connection fails completely

Do you refer here connecting again when ssl decryption is enabled?

Re: Putting PA SSL decrypt certificate in other people in chrome

Remo — Sun, 27 Jan 2019 19:29:19 GMT

@MP18 wrote:
does this refer to websites where i do not get cert warning and there is no option for me to click on proceed ??

This one applies to website that show everything a little scrambled which is because the main page can load but css and javascripts, that are required for the website to show properly, cannot load as you don't see a cert warning for these other domains.

@MP18 wrote:
Do you refer here connecting again when ssl decryption is enabled?

Exactly