[Solved] Re: Can't connect to torproject.org

To: debian-user@lists.debian.org
Subject: [Solved] Re: Can't connect to torproject.org
From: Celejar <celejar@gmail.com>
Date: Sun, 11 Apr 2021 12:16:55 -0400
Message-id: <[🔎] 20210411121655.848b9eaa85f768e750f2ca25@gmail.com>
In-reply-to: <[🔎] d10b736b-a946-3a58-0147-b6f71cca14a2@kalinowski.com.br>
References: <[🔎] 20210411102524.28c2946b2c7c60cf3e1d82cd@gmail.com> <[🔎] d10b736b-a946-3a58-0147-b6f71cca14a2@kalinowski.com.br>

On Sun, 11 Apr 2021 12:51:13 -0300
Eduardo M KALINOWSKI <eduardo@kalinowski.com.br> wrote:

> On 11/04/2021 11:25, Celejar wrote:
> > I feel silly for not being able to figure this out.
> > 
> > I can't connect to torproject.org via either Firefox or Chromium. The
> > browsers object that HSTS is in place and they don't recognize the
> > site's certificate (SEC_ERROR_UNKNOWN_ISSUER). There's no opportunity
> > offered to add an exception.
> > 
> > I've seen these threads:
> > 
> > https://support.mozilla.org/en-US/questions/1201504
> > https://superuser.com/questions/1066863/how-can-i-add-a-certificate-exception-for-an-hsts-protected-site-in-firefox
> > https://support.mozilla.org/en-US/questions/942924
> > 
> > But I don't see any good suggestions for fixing this in my case. I have
> > a pretty standard Debian installation, with standard certificates
> > installed, and no customization to my local certificate infrastructure.
> > I'm connecting via Verizon FioS, with no proxy in use (on my end, at
> > least).
> 
> There seems to be to issues:
> 
> - The certificate issuer is invalid
> - Since the site uses HSTS[0], the browser does not allow the user to 
> override the certificate problem.
> 
> [0]https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
> 
> HSTS doesn't really seem to be problem. It just tells the browser that 
> https is to be used at all times. If there's a certificate error, that 
> means that TLS is being used.
> 
> The real question is then why is the issuer considered invalid. I can 
> access the site normally and it uses a Let's Encrypt certificate, which 
> should be trusted, and should be used by many other sites.
> 
> What happens when you try to access https://letsencrypt.org/, which is 
> signed by the same CA?

It connects fine. And you've just given the the clue to figure this
out: on my system, the certificate is issued by Cisco Umbrella, not
Let's Encrypt!

The problem seems to be that I have OpenDns Family Shield configured at
the router level, and it blocks Proxy/Anonymizer sites by default.
(OpenDns was purchased by Cisco and rebranded as Cisco Umbrella:
https://umbrella.cisco.com/opendns-cisco-umbrella.) I'm pretty sure that
it used to just return an OpenDns page instead of the requested one,
but now I guess it's doing something sneaky by returning its own
version of the requested page, signed with its own certificate :| (I
confirmed that I have the same problem accessing openvpn.net)

Thanks!

Celejar

Reply to:

Follow-Ups:
- Re: [Solved] Re: Can't connect to torproject.org
  - From: <tomas@tuxteam.de>
- Re: [Solved] Re: Can't connect to torproject.org
  - From: Charles Curley <charlescurley@charlescurley.com>

References:
- Can't connect to torproject.org
  - From: Celejar <celejar@gmail.com>
- Re: Can't connect to torproject.org
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>

Prev by Date: Re: Can't connect to torproject.org
Next by Date: Re: [Solved] Re: Can't connect to torproject.org
Previous by thread: Re: Can't connect to torproject.org
Next by thread: Re: [Solved] Re: Can't connect to torproject.org
Index(es):
- Date
- Thread