0

I'm using Google Chrome on my new MacBook Pro that has been provided to me by my employer.

Many of the HTTPS sites I visit do not work when I visit them using Google Crome while I am connected to my employer's network. Example: www.facebook.com

These same sites work perfectly fine if I use a different browser (like Safari) or even with Chrome when my Macbook is connected to my home WiFi network.

Chrome reports the error: "The certificate was signed by an unknown authority". See attached screenshots.

How can I resolve this problem? I really want to use Chrome. But not having access to numerous important work and outside websites is unacceptable.

enter image description here

enter image description here

Saqib Ali
  • 559
  • 1
  • 9
  • 18
  • 1
    Discuss this with IT and/or your management. We are not them (probably.) – mfinni Jun 06 '14 at 14:53
  • 1
    Details about the certificate? I would assume chrome ignores the root certificate the IT interceptor has installed and thus thinks the certificate is invalid. I assume the company rewrites all SSL certificates to be able to intercept the traffic. – TomTom Jun 06 '14 at 14:57
  • My company's IT department said that I should use Safari since it was an acceptable workaround. But I would really prefer to use Chrome if possible. That's why I'm posting here for advice/assistance. What can I tell them to bolster my case? – Saqib Ali Jun 06 '14 at 14:57
  • 1
    Agreed with @TomTom - your employer is essentially performing a MITM and is replacing the real SSL certs for external sites with their own, for purposes of inspecting and logging all web requests. Ethical or not, this is something between you and your employer, and you need to discuss this with them. – EEAA Jun 06 '14 at 14:59
  • @TomTom, from where can I find details about this certificate other than the screenshots I have provided? – Saqib Ali Jun 06 '14 at 14:59
  • @EEAA/@TomTom, Is this something that would affect only Chrome, but not the other browsers on my laptop? – Saqib Ali Jun 06 '14 at 15:00
  • Nothng inethical here - likely their usage policy says so and laws demand it. Some areas demand that certain communiation is logged, SSL or not. Private stuff - do it on private machines. Regarding other programs - likely chrome ignores the installed additional root certificate. Ask your IT. – TomTom Jun 06 '14 at 15:09
  • I'd say nobody should be hijacking SSL connections. It is hard enough as it is to teach users, that security warnings should be taken seriously. That will only get harder, if users are being told, that there exist legitimate reasons for hijacking SSL connections. If an employer want to block access to specific SSL sites, they should be using a TCP RST packet to block the access. – kasperd Jun 06 '14 at 15:54

1 Answers1

2

Your company is injecting an SSL certificate into your requests to do SSL filtering (which major firewall/filter products do nowadays) which isn't trusted by Chrome or your system.

Safari will happily ignore the issue and display the page but with the https either crossed or red (I don't have Safari so I'm not sure).

If configured right, the company would be issuing certificates trusted by their own systems, but that's an entirely different topic.

On that note, just avoid going to sites over HTTPS.

Nathan C
  • 15,059
  • 4
  • 43
  • 62