0

I'm trying to configure mother's personal computers (Win10) for remote work with server in FL.

When I connect from her work laptop - using provided Cisco AnyConnect VPN 2.5 on Win7 - I can still access non-work related secure sites (such as mail.yahoo.com). However I get

"Your connection is not private"
Attackers might be trying to steal your info from [site] NET::ERR_CERT_AUTHORITY_INVALID
Subject: google.com
Issuer: [Company name] SubCA [name]
Exprires: [in the future]
PEM encoded chain: 4 chunks of ---BEGIN/END CERTIFICATE---

when doing the same from her personal computers (tried on Chrome/Edge, Norton/Avast combos).

What is the reason for this difference and how can I fix it?

A.S.
  • 101
  • 4
  • Why is your company using such old AnyConnect software? It is like 7-10 yrs old. There are bugs in that software that have been fixed. Your company should be running AnyConnect 4.x. –  Jan 12 '16 at 18:35

2 Answers2

1

There is probably SSL interception done by your company, i.e. man in the middle of SSL connections to analyze for malware and data leakage. Please contact the works system administrator for details on how to configure your system to include the necessary certificates. Apart from that make sure that you are even allowed to connect private PCs to the work network.

See also Does a TLS interception proxy present the user's browser with the end server's certificate? and Is it possible for corporation to intercept and decrypt SSL/TLS traffic?

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • It could also be software installed by her employer that causes this issue. You could dig into the CA and see if you can identify whether that's associated with a known security software vendor, and then figure out whether it's your stack or hers that is the source of the issue. Another possibility is that her personal computers have differences in root CAs or other trust chain elements that are obscuring this issue. – Jesse K Jan 12 '16 at 16:16
  • Thanks - I'll have her contact the admin. They also allow VIP Access verification for general access but usage of their phone system requires VPN connection (at least on her work laptop). I added full details of the error message - that might clarify the issue/solution. @Jesse Could you guide me on digging into the CA - or should I stay away given my general lack of sophistication in this area? I get the same error on two different home machines. – A.S. Jan 12 '16 at 16:23
  • You've redacted the issuer above. We'll need to know the issuer in order to dig deeper. Generally speaking, an issuer is not considered sensitive information - how can you trust a cert if you don't know who said the cert is trustworthy? It would also be helpful to see the certificate hierarchy. You could do this at a command line using openssl s_client or more likely a screenshot of the certificate "details" tab in firefox or the "certification path" tab in IE. It would also be helpful if you could check this across browsers, as in some cases, browsers package different CA trusts. – Jesse K Jan 12 '16 at 16:42
  • @Jesse Company name = Company my mother works for = CN. Certification path (from Chrome): "CN Root CA -> CN Issuing CA1 -> CN SubCA [name] -> google.com" and certificate status for the first one is "not trusted as it's not in the Trusted Root CA store". – A.S. Jan 12 '16 at 16:52
  • I just read http://security.stackexchange.com/a/31036/96694 as I didn't know any details of VPN before. Why would the company direct *all* of the traffic through its server - not just work-related traffic? – A.S. Jan 12 '16 at 19:47
  • It's not terribly uncommon to see all traffic routed through a VPN connection. The feature to not route all traffic through the VPN connection is known as split tunneling, and some VPN providers will choose not to support this feature to ensure that all traffic passes through certain network security choke points, to prevent data exfiltration and the like. – Jesse K Jan 12 '16 at 19:59
  • Those are the literal text values? "Issuing CA1" and so forth? They must be using some sort of traffic inspection device/software which has replaced some/all of the root CAs in some default trust store. Trying across browsers and getting screenshots of the cert path would still be helpful. – Jesse K Jan 12 '16 at 20:02
  • @Jesse [use @ handle for me to get a note]. I put all literal values except for [name] which has reference to server physical location. Will test on other browsers in the evening, as I don't want to log into the server from two different places. The rejected "CN Root CA" is issued to and issued by "CN Root CA" – A.S. Jan 12 '16 at 20:12
  • Yeah, that's not a valid CA or intermediate CA. I'm not able to find any info about any reputable security software vendors that use that convention either. Looks like it might be a sloppy self-signed implementation. – Jesse K Jan 12 '16 at 20:35
  • It's actually common to use a self-signed CA as the proxy CA for SSL inspection and "company name Root CA" is not that bad. No reputable firewall vendor would include a pre-generated certificate for SSL inception because sharing the same proxy CA over multiple customers is actually a sever security issue. – Steffen Ullrich Jan 12 '16 at 22:11
  • @Steffen Just to clarify - on the work computer (where there are no issues to access secure sites) is all the traffic monitored by the employer? Does the employer know which sites/programs are accessed and can he decript passwords/sensitive information? – A.S. Jan 13 '16 at 00:10
  • @Steffen Also, do I affect non-VPN sessions with work server if I simply export a missing CA certificate from work machine to home machine? – A.S. Jan 13 '16 at 04:25
  • @A.S.: if the employer knows - ask your mother and maybe she should look at what she agreed to with the job. But monitoring the traffic is very common for security reasons and sometimes other activity is monitored too. And any CA you mark as trusted can be used for signing almost any host, thus any misuse of the proxy CA would affect both work and home system. – Steffen Ullrich Jan 13 '16 at 06:31
0

For me I just had to turn off the Proxy (Under Network and Internet) on Windows 10 and it solved the problem. Also I unchecked Internet Protocol Version 6 (TCP/IPv6) under Network Connections.

Doha Karki
  • 1