firefox - How to intercept SSL authority certificate needed in a corporate environment?

12
2014-04
  • user1042840

    My situation is the following: in our corporate network a special kind of SSL certificate issued by the company itself is used. Every time I open a site via https in Firefox a warning monit is displayed saying "sec_error_unknown_issuer". In certificate details it says that this particular certificate was issued by my company, there is a company address and name and everything. It's very annoying because I need to add an exception for the invalid certificate every single time I go to an SSL encrypted site. One possible solution would be to give up SSL and use plain http when possible (there is no difference between SSL and no-SSL at the moment if the network admins handle the certificates themselves I guess) but some sites do not work without SSL, such as bank login pages. So I think the better idea would be to add the certificate to Firefox list of trusted authorities. To do this, I need to have an authority certificate. I tried to get it with the following Openssl command but to no avail:

    openssl s_client -connect hostname:port

    It shows one certificate but and then it stops because some certificates could not be verified and the certificate is incorrect because Firefox display an error when I try to import it. I don't remember the exact message now but it was something like "this certificate is not valid authority certificate".

    I also tried to use Wireshark but can't use too good and I failed to grab what I was looking for. And as the last resort, it's impossible to disable SSL certificates validation in Firefox.

    So how can I grab this local authority certificate that I could import to Firefox and stop being annoyed by the error messages?

  • Answers
  • grawity

    Add the -showcerts option to make s_client print the entire chain.

  • mndeveci

    I am facing the same problem today, and every time I try to connect a site, all mozilla products ask for permission to add certificate. And that certificate only certifies for the specified website.

    In order to add your corporate certificate into the trusted authorities, go to Control Panel -> Internet Options -> Content -> Certificates -> Trusted Root Certification Authorities

    And a list appears there. Find your corporate certificate, and export it to a file, with wizard's default options.

    After that open firefox, Options -> Advanced -> View Certificates -> Authorities -> Import

    Select the file that you have exported, and check all the trust options.

    Now you will be able to connect all the websites.


  • Related Question

    What is the true level of danger when a SSL certificate is invalid?
  • Chris Pratt

    I'm relatively tech-savvy, but I'm no security expert. To my understanding, an invalid SSL certificate is only a problem if you're going to provide some sort of potentially exploitable information to a website and you are not sure that the website you're at is truly owned by the organization you believe it to be.

    I ask because my workplace uses content filtering that makes every SSL cert invalid. The browser sees the website as originating from the content filtering server on the network rather than the actual server the website is being served from. I'm tempted to simply turn off certificate checking altogether in my browser (Firefox) because it's not doing anything for me other than creating hassle, but I wanted to check to see if there's some facet of the issue I might be missing? I'm smart enough to ensure that the website I'm visiting is the website I think I'm visiting without the confirmation of the cert, so based on my understanding, I shouldn't have any problems.


  • Related Answers
  • Michael Urvan

    Basically with that kind of proxy, your employer can see even banking information and such via SSL because they have an unencrypted copy via the proxy. Your computer is requesting a webpage from the proxy server, and then your employer's proxy server is requesting the pages from the destination on your behalf, and the proxy software gets an unencrypted copy because it is in the middle. So the proxy can see the contents of every web page you see. The only way SSL is secure is when your PC and the destination PC talk directly via SSL.

    Your browser is correctly warning you that your information is not secure. I think that the connection between the three points is still using encryption, so the whole world can't see it - just your employer.

    One note to remember, even with SSL turned on properly, your employer can still see the URLs (in the browser address bar) that you go to. Most search engines like google place a lot of information in the URL (words you searched for, etc).

  • DrNoone

    The main problem, IMHO, is that your browser (or your client's browser) is always complaining about invalid certificates. If it happens once in a while, you go and check whether is an error or not. If it happens every time you stop checking. I mean, your information could be safe from sniffing because you're encrypting the communication channel, but you may be talking with a rogue server, and that could be easily exploited.