Your Connection is not Private on Blocked Sites

Hi I'am new to Sophos UTM,

I have a Web Filtering Policy blocking Categories including facebook and youtube.

Some sites when blocked are showing the company's logo with web messages but there are also some sites especially facebook and youtube only showing this.

Your connection is not private

Attackers might be trying to steal your information from facebook.com (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

 

Please help me fix this. Thank you

  • Hello,

    Thanks for the response but I still can't understand the thread in the link you've given.

  • In reply to KhaLev:

    Have you got the Proxy certificate installed?

    If not, goto:

    [Web Protection] > [Filtering Options] > {HTTP CAs] > [Signing CA] > [Download]

  • In reply to Peter-Paul Gras:

    Hi,

    Thanks but I still have the same issue. 

    Your connection is not private

    Attackers might be trying to steal your information from youtube.com (for example, passwords, messages, or credit cards). Learn more

    NET::ERR_CERT_AUTHORITY_INVALID
     
    But other blocked sites showing this one. 
  • In reply to KhaLev:

    But just to be clear: did you install the proxy certificate on your client?

    According to the RULZ (https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz) the proxy rule (#7) is tested before the application rule (#9).

  • In reply to KhaLev:

     Seems like a Chrome error (https://www.digitbin.com/neterr-cert-invalid-chrome-fix/)

    Have you tried testing this with others browsers?

     

    I've managed to replicate your error. It appeared while using Chroium (Linux Mint 19.1) but not while using FireFox on the same machine.

  • As I thought the other document explained, this is expected behavior.  You must distribute the UTM root certificate to your client devices to fix the problem.

    To display a block message, UTM must impersonate the destination server.  For HTTP sites, this can be done because HTTP does not validate the responding system.   When the site is HTTPS, UTM has to get past the server authentication test before it can display the block message.  If the root certificate is on the client desktop, the block message displays.   If not, the browser displays a warning.   Most browsers give you the option to proceed anyway.  I believe that Edge will not allow you to proceed past the warning.

    Firefox is difficult because it does not use the system certificate store, but uses a per-user store instead.   At one point I thought they were going to change this, but I don't use Firefox anymore so I do not know if it was ever done.

    If you are having certificate warnings on allowed sites, the problem is different.   IF you have decrypt-and-scan enabled, some connections will fail because UTM and the remote site cannot negotiate a shared ciphersuite.   The workaround is to bypass https inspection for any such sites.

    You may benefit from reading the other material in the WiKi section, and the "Web Filtering Lessons Learned" document which is pinned to the top of the webfiltering forum.   This part of the product works extremely well.  I don't understand what other information you need.