1

Tl;Dr:

How do I stop chrome from refusing to load pages that are blocked by OpenDNS, where the server has explicitly requested HTTPS?

Long question:

I have a large problem with Chrome in my organisation. I use DNS to manage web site blocking, for sites which are not appropriate and are potentially a risk to the organisation where I do this.

I only want to use Chrome over the network, as Internet Explorer has compatibility problems with some sites that we use (We cannot change this either or use different sites). Therefore using internet explorer is not a solution.

I do not want to install a different browser, for multiple reasons. Mainly because of the difficulty of rewriting the customised add-ons that we use.

However, recently, I have had lots of problems with Chrome SSL Errors. I cannot use my custom OpenDNS block pages, which uses the contact form to request an unblocking.

Chrome often blocks OpenDNS for sites (a good example is Facebook) that request HTTPS. Some sites like https://internetbadguys.com (OpenDNS example) This means that chrome refuses to load the blocking page, explaining that the site is blocked. Instead they often call IT support, but they want a solution, as they are sick of getting lots of SSL errors.

I have tried looking into ways to turning this off. I have tried:

  • Typing "proceed". That didn't work.
  • Typing "proceed", pressing enter. Didn't work
  • I cannot find phishing and anti-malware any more in Chrome, from the internet guides.
  • Not using HTTPS. However there is an automatic redirect to HTTPS on most sites. Therefore the error keeps coming up.
  • Checking my clocks. They were correct.

Does anyone have an idea on how to disabling, bypassing or working around this "feature"?

EDIT: This is an example what I am talking about - SSL Error I found that on google images.

NOTE: I DO NOT block Google.

EDIT 2: My clocks are correct. I cannot stop using OpenDNS either.

George
  • 185
  • 1
  • 2
  • 8

4 Answers4

4

So… you're redirecting the real Google site and complaining when Google's browser notices that you've intercepted Google's website?

Build Chrome from source and deploy that to your Enterprise. Or stop using OpenDNS.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Oh no. That was just an example I found on google images. I do not block google. Sorry for not making that clear – George May 03 '14 at 10:59
  • I still can't figure out what you're even asking, you should clean up your question. And where in the world did you get the idea to type "proceed"? – MikeyB May 03 '14 at 13:26
  • I found it here: http://security.stackexchange.com/questions/26049/chrome-ssl-warning-you-cannot-proceed-because-the-website-operator-has-request – George May 05 '14 at 13:49
2

You are basically asking to break SSL security with your suggestion.

Chrome has the feature called pinned certificates, where well-known website certificates are stored inside the browser.

It means that whenever some other certificate than the one for the desired destination is presented, the browser gives out a warning about a Man in the middle attack.

It is a security feature, and should not be disabled.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
2

I'm with you 100% on this. Our company uses OpenDNS to block certain websites. YouTube.com is one of them. However, we also issue "bypass codes" to employees to get around a blocked site. Here's how this works:

  • User browses to YouTube.com which auto redirects to SSL
  • OpenDNS blocks youtube.com domain
  • Chrome expects SSL from youtube.com, but the response is actually coming from OpenDNS...hence the certs don't match.

So the problem is - how do you bypass OpenDNS with their bypass codes if Chrome doesn't even give you option?

Alternatives: Use Firefox or (it pains me to suggest this) Internet Explorer.

MJ Hufford
  • 136
  • 3
2

Hijacking SSL and then serving an invalid certificate is a bad practice that people need to complain about whenever it happens. Based on your description it sounds like that sort of hijacking is exactly what OpenDNS is doing.

The reason I think it is such a bad practice is that it may cause some users to think there exist legitimate reasons for hijacking SSL, such misconception is bad for security.

So, what can you do about it?

If you want to stay with OpenDNS, I recommend you find the IP address they direct hijacked connections to. On the edge of your network, block all outgoing connections to that IP address except from port 80. Make sure the TCP SYN packets get a TCP RST packet in return. Responding with an ICMP error or simply dropping the SYN is not guaranteed to be handled well by the sending TCP stack.

If the connection is hijacked at DNS layer and a TCP RST is sent when attempting a connection to port 443, the browser will display it's own error message such as "This webpage is not available", which is much better than the certificate warning.

You can still display your custom error message to users connecting to port 80, but as others have pointed out, you can't do that with HTTPS as the entire purpose of HTTPS is to prevent that.

Why might users connect to port 443 rather than port 80 in the first place? There are at least three possible reasons:

  • User actually typed https:// into their browser.
  • The browser had a redirect from http to https cached.
  • The domain has strict transport security enabled, and the browser is aware of that.

In those cases you cannot give users a custom error page, so you need to let them know beforehand how to request an unblock.

kasperd
  • 29,894
  • 16
  • 72
  • 122