What router settings would prevent me from accessing CSS files via https?

If I try to fetch this resource (CSS file) with my browser(s):

https://secure.skypeassets.com/apollo/2.0.823/css/components.css

I get this error:

With Firefox:

This Connection is Untrusted

You have asked Firefox to connect securely to secure.skypeassets.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified. What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

However, if I connect my ethernet cable directly to my cable modem, instead of going through my router, I can access this resource without any problem.

So it seems to me that the problem is a router setting, not network settings for the computer itself.

The router is a D-Link DIR-632 Wireless N 8-Port Router. The problem is seen on computers connected via ethernet cable and computers connected via wireless. The router says that the firmware is up-to-date.

EDIT:

I see this problem with all pages at skype.com (no CSS files are getting fetched, and so all pages look pretty ugly). Other HTTPS traffic is fine. It has been happening for as long as I can remember, but I'm not sure if it has always happened with this router.

MORE EDITS:

Selecting "ADVANCED" shows me this:

This server could not prove that it is secure.skypeassets.com; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to secure.skypeassets.com (unsafe)

I have been asked to provide the certificate. There were lots of options when I went to save it, and I'm not sure I've done it correctly, but it is zipped up here. (I think it was saved when visiting www.skype.com, which was badly-formatted because it couldn't access the CSS files from secure.skypeassets.com. But I gather now that I did that wrong ... I should have saved the certificate when I was at the "Your connection is not private" page. Oops. I could go and get the other certificate now if it might help, but I'm not sure now if that was a red herring, in light of the problem being fixed by changing my DNS servers.)

Jeff Roe

Posted 2016-08-03T02:26:34.310

Reputation: 291

2Your router appears to be munging the certificate chain. Start by upgrading the router's firmware. You'll need to provide more information about the router (make/model/configuration) if you want more specific suggestions from people. Edit it into your question. – Ƭᴇcʜιᴇ007 – 2016-08-03T02:39:23.327

4Don't bother upgrading. Throw it in the bin. There is absolutely no reason for a router to be mucking about with traffic like this. – EEAA – 2016-08-03T02:51:04.127

Can you edit your question to add details on what model router you’re using that you believe would be causing an issue like this? – JakeGould – 2016-08-03T03:03:12.183

1Out of curiosity, please provide screenshots of the certificate (or ideally the certificate itself). – Daniel B – 2016-08-08T16:27:00.757

@DanielB: I don't know what the certificate is, or where I would find it. – Jeff Roe – 2016-08-08T19:01:40.570

1Press F12 (to open DevTools), go to the “Security” tab. After clicking on “View certificate” you can save the certificate on the “Details” tab of the properties dialog that opens. If there are other certificates in the “Certification Path” tab, you should export these, too. You can then ZIP the files and upload them to your favorite file hoster. – Daniel B – 2016-08-08T20:09:24.917

If my answer does not help, it may indeed be useful to see the certificate(s), and to get some more info like: has it always been like this or did it suddenly start? Do you have this with all HTTPS traffic or only with this specific site, or this specific URL? – hertitu – 2016-08-09T20:27:40.390

Thanks for your help, but that certificate stuff seems too difficult. Would it be the same certificate for anyone going to skype.com? – Jeff Roe – 2016-08-10T02:02:43.247

When you get the error in chrome and click Advanced, what extra info does it show? – hertitu – 2016-08-10T05:42:43.460

1@JeffRoe How is it difficult? To get good answers, you really should provide the certificate. An alternate way to get to the "Security" tab is to click on the lock icon in the address bar and then select "Details". – Daniel B – 2016-08-10T20:17:19.293

"Would it be the same certificate for anyone going to skype.com?", that's what we're trying to determine. So, we need that info. – Arjan – 2016-08-10T20:23:38.627

1If you click Proceed to secure.skypeassets.com (unsafe) what do you get? – hertitu – 2016-08-10T21:52:37.723

@hertitu: I just get a blank page. – Jeff Roe – 2016-08-11T01:45:07.920

Nice it was fixed, @Jeff. As an aside, the output from Google's DNS was just a reference, meant as the expected output to compare your own output against. I've removed the Google stuff from your question. – Arjan – 2016-08-12T09:29:51.527

Well seeing how the certificate was probably not the “faulty” one, I’m removing my answer. – Daniel B – 2016-08-12T15:29:22.820

Answers

Skype's static resources are hosted at Akamai, a content delivery network, that routes requests to one of their worldwide servers that is best suited for your location. Maybe the Akamai-generated Skype certificate is not valid on one of Akamai's servers, or maybe one of their servers simply does not host the Skype content at all (anymore) and Akamai is trying to show you an error page, using a different certificate.

So, just a wild guess: maybe the router uses different DNS settings, which are either outdated (maybe referring to a wrong IP address altogether), or referring to an Akamai server that is configured wrongly, or for filtering DNS servers (did you set up something like OpenDNS some day?) referring to an an access denied page of the DNS server.

You can try nslookup secure.skypeassets.com to try to find differences for the two connections. (The first line will tell you which DNS server is used, but that usually refers to the router or modem's IP address.)

You can also compare the output you get with the output when using Google's DNS:

nslookup secure.skypeassets.com 8.8.8.8

Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
secure.skypeassets.com  canonical name = secure.skypeassets.com.edgekey.net.
secure.skypeassets.com.edgekey.net  canonical name = secure.skypeassets.com.edgekey.net.globalredir.akadns.net.
secure.skypeassets.com.edgekey.net.globalredir.akadns.net   canonical name = e7766.b.akamaiedge.net.
Name:   e7766.b.akamaiedge.net
Address: 23.206.91.11

The IP address in the last line can surely be different without causing problems, but maybe you happen to find an IP address that should not be used.

Arjan

Posted 2016-08-03T02:26:34.310

Reputation: 29 084

Hmm... yes, I was using OpenDNS for a while. I'll add my nslookup to my question. – Jeff Roe – 2016-08-11T02:28:10.010

Aha! I changed my DNS servers back from the Open DNS ones, and the problem is fixed! – Jeff Roe – 2016-08-11T02:41:22.737

Since the problem only occurs when connecting through the router, that router is likely messing around with your traffic. That specific error means that the site as seen by your computer is presenting an SSL/TLS certificate that fits the site, but is issued by an untrusted/unknown certification authority. In essence, it would appear that the router just made up a CA key and is signing certificates with it in an attempt to let itself decrypt your HTTPS traffic.

I couldn't find any mention of a setting for that router that enables such shenanigans (other than the website filters mentioned in hertitu's answer), but I did discover that malicious firmware versions have been made for D-Link routers. For a scary read, see Large Scale Security Analysis of Embedded Devices' Firmware (PDF). It's conceivable that your router was injected with that kind of bad firmware and is now spying on you. You could try to flash known-good firmware onto it, but the bad firmware might prevent that. If the flash fixes the HTTPS problem, change your router management password to make sure that no bad guys know it. (Access to your router is access to your traffic when firmware "upgrade" is an option.)

If the flash doesn't fix it, buy a new router. It's the only way to be sure!

Ben N

Posted 2016-08-03T02:26:34.310

Reputation: 32 973

It is possible that someone is running some sort of man in the middle attack. Login to the router and check to see who is connected. If you find some suspicious machine just change your wifi password and make sure you use WPA encryption

May0

Posted 2016-08-03T02:26:34.310

Reputation: 31

I'd find it very hard to believe that some other client of the same router could act like a man in the middle. Any examples? – Arjan – 2016-08-10T20:20:29.733

2@Arjan That's easily achieved with ARP Poisoning. Though that won't necessarily work on recent operating systems. – Daniel B – 2016-08-10T20:57:36.243

@Arjan I used to use a program for Windows called Cain and Abel. I last used it about a year ago and my friends would get this same error message when I had it running.

– May0 – 2016-08-10T22:16:28.503

Thanks. I don't see anything unexpected in the "DYNAMIC DHCP CLIENTS" list. – Jeff Roe – 2016-08-11T01:43:19.443

Wow, good to know, @May0. – Arjan – 2016-08-11T05:32:48.413

Looking at the D-Link DIR-635 User Manual (pdf), I see that it has a Website Filters feature as an option in the Access Control feature. I have no experience with this particular router (and hence with that feature) but it is possible, when these features are enabled, that the router is trying to present you with a screen saying something like "you are not allowed to access this page".

hertitu

Posted 2016-08-03T02:26:34.310

Reputation: 276

A good thought, but I don't have any Website Filters set up. – Jeff Roe – 2016-08-10T01:57:12.917