The KinGuard Project

Article 8 in the Digital World
https://www.kinguardproject.org/forum/

Connection to opi from company network not possible

https://www.kinguardproject.org/forum/viewtopic.php?t=598

Page 1 of 1

Connection to opi from company network not possible

Posted: Mon Oct 06, 2014 8:45 am
by hans345
Hi,

I tried to connect from my work´s network to connect to the opi, but this not possible. I get the following error message:



The system returned:

(71) Protocol error (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)

Self-signed SSL Certificate in chain: /C=SE/ST=Skane/L=Loddekopinge/O=OpenProducts/O=./OU=./CN=ROOT CA


What can I do to solve this?

Posted: Mon Oct 06, 2014 8:33 pm
by tor
Hi Hans345,

Could you provide more information on the environment where this happens? OS, Browser. Any proxies involved? (My guess is the last one, that you have a proxy that is unaware of our ROOT CA. :( )

Best Regards,

/Tor

Posted: Tue Oct 07, 2014 7:41 am
by hans345
Hi Tor,

the environment:
Win 7, Firefox 24.7.0 ESR and a proxy is involved. Any more information needed?

Any more information needed?

Best Regards
hans345

Posted: Tue Oct 07, 2014 2:17 pm
by tor
Hi again hans345,

It seems like the problem here is the proxy server being deployed at your work. Google suggests that they run squid possibly with SslBump: http://wiki.squid-cache.org/Features/SslBump

This is unfortunately nothing we can do anything about. You should also be aware that it is most likely that all traffic passing through this proxy is being decrypted and inspected for good or bad by your employer.

Sorry for not having a better answer here :(

/Tor

Posted: Wed Oct 08, 2014 7:16 am
by hans345
Hi Tor,

thanks for the reply.

Well, I sent a mail to "our" firewall admin to see, if he can do or is willing to do something about this.

Best reagrds
hans345

Posted: Mon Oct 13, 2014 9:39 pm
by tehcog
Your employer is probably running Bluecoat Security, which (as Tor indicates) most likely decrypts all of you https traffic. This is their prerogative, as it is their network. However, I suggest that you do not do any banking or other transactions that require the passing of personally sensitive data for the following reasons:

As they are performing the man in the middle attack (hack), They may be storing your personal information (bank account numbers, log in identification data, etc.) on their servers, which in turn can be hacked by outsiders, abused by insiders, or even used for meta data collection on employees and held for the rare occasion when they might want to "investigate" you i.e. you want a promotion or something.

They may be outsourcing this service, which is more likely. Which implies that they actually have no control over your sensitive data, and the 3rd party could be hacked or the data intercepted while being transmitted over the interwebs. You have no idea, or control.

Yes, this is all a possibility.

Use your PERSONAL BlackPhone or possibly iPhone (not the company's) instead.

Trust no one.

Regards
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited