browse
Overview:
Your Connection is Untrusted/Not Private - *.opendns.com or *.cisco.com Certificate Error that cannot be bypassed
GOOD NEWS! A solution for this problem that is easier to manage and persistent for all sites is now available!
As a result, the information below is still applicable but can now be worked around with a permanent solution. We encourage you to try installing the Cisco Root CA with this article:
https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/
This article is a guide for when a certificate error for *.opendns.com or *.cisco.com appears, but is not able to be bypassed by adding a certificate exception as outlined in this article:https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/. In this case, follow the steps below to allow the certificate error to be cleared.
When you're unable to bypass the certificate error by adding an exception, this is because of the implementation of HTTP Strict Transport Security (HSTS) or pre-loaded Certificate Pinning in modern browsers. In essence, communication between certain browsers and certain websites is done in a way that 'bakes in' the requirement to use HTTPS and no bypass or exception is possible. This extra security for HTTPS pages prevents the Umbrella block page and bypass block page mechanism from working when HSTS is active for a website. For more information about HSTS, please refer to this article.
As a result, the page in question cannot be accessed through Block Page Bypass (in fact, the Bypass screen may not even appear!) The methods below may allow access to the BPB login, but upon login the certificate error will reappear for and deny access. So, if you're seeing a certificate error in Google Chrome or Mozilla Firefox or Safari that cannot be bypassed and you are trying to access the bypass login, this article is for you!
IMPORTANT:
If the domain is on the HSTS pinned list, an exception cannot be added as the list is effectively non-bypassable if you're running Chrome, Safari or Firefox (IE is not affected). Block Page Bypass will not work for sites like this. For a complete list of services using HSTS by these three browsers please read here. Notable services in this list include:
- Google (and Google resources, such as Gmail, Youtube or Google Docs)
- Dropbox
If this is causing a problem for you or your users and you'd like to see changes to Block Page Bypass to help alleviate this issue, let us know! You can file a feature request to see this improved in the Feature Request forum, here: https://support.umbrella.com/hc/en-us/articles/230563467-Chrome-for-Windows-only-HSTS-Certificate-Exception-Instructions. Our product management and engineering teams are aware of difficulties with certificates and block page bypass, and are testing alternative redesigns of this feature and would love to hear from you.
Possible Solutions
There are a few ways to resolve these sorts of issues. First, we'll discuss how to use more granular policies to workaround this issue. Second, there are a couple of browser tweaks that can be made but these are isolated to a subset of the browsers affected by this issue.
Policy Management and the Roaming Client
Proper policy management is the best solution to this problem because the browser will not receive a failed validation response in the first place. If some of your users should be permitted to access sites that they would normally need to use Block Page Bypass to access, you should instead configure a separate policy for these users and add the domains that they should be allowed to use to the Allow List. Since the users' requests are never blocked, the browser will never receive a request from a domain with a mismatched certificate. One way to deliver these sorts of specific policies with the Umbrella Roaming Client.
In essence, you are putting certain domains in an allow list for certain users at all times of the day in order to work around these errors.
Note: The Umbrella roaming client is an effective way to distribute particular policies to multiple users, but if you have enabled Active Directory integration, you can apply these permitted policies to particular AD users as well.
There can be issues with your network configure or acceptable usage (HR) policy that prevent this solution. Policy Management is not an effective solution if users are allowed to visit these domains only at given times, such as their lunch break. Umbrella is unable to provide a time-based policy application with our service, so simply allowing a user to access at site all the time could be problematic. On a shared computer, such as a public terminal, the Umbrella roaming client can't differentiate between different users and cannot easily allow the right domains for the right people.
Policy Management is not as effective when considering non-granular identities, such as Sites or Networks, unless the administrator is comfortable giving all users of that network the same access. Policy Management works best when applied to a subset of users that should be allowed to access sites while the rest of the network cannot, and singling out those users by installing the Roaming Client on their machines and applying the proper policy hierarchy.
Ignoring Certificate Exception errors (Chrome for Windows only)
Only Chrome for Windows can be configured to ignore Certificate Exception errors, which will mitigate this error. The browser is told to ignore the error and the normal Umbrella block page will be seen instead.
Important Note: This method is riskier than adjusting your policy management because you are telling your browser to ignore certificate errors. It's possible that as a result, the browser may be subject to man-in-the-middle (MiTM) attacks. As a result, we cannot recommend this as a secure approach to dealing with this error but it is a workaround.
These configuration change must be made on a per-computer basis, which makes it difficult for large scale environments, but it does work. Please read how to configure Chrome (Windows Only) here.
Firefox, Safari and Chrome for Mac OS X
Firefox, Safari and Chrome for Mac OS X cannot be configured to ignore certificate exceptions errors for pinned domains, and will always honor the HSTS list. There are no known workaround for this these errors, although if you are aware of a workaround you are welcome to use it (and please let us know if it works for you!)
Internet Explorer
Internet Explorer does not implement HSTS restrictions. As a result, IE does not need to be configured and will not display this error. This is subject to change in future versions of IE should Microsoft choose to implement HSTS in the browser.