I have seen reports of this happening with the following websites
When you click on the Browser security shortcut to look at the security certificate, you likely will see that the failure is the Cisco Umbrella Root CA with a reason stating that the “Cisco Umbrella Root CA” certificate is not trusted. The Cisco Umbrella Root CA does not have the authority required with HSTS pinned domains.
Cisco Umbrella Root CA
Cisco Umbrella Root CA -> a certificate authority created by Cisco Umbrella
Cisco Umbrella is an OpenDNS service that is attempting to protect you and your network from shady websites. Doing so, it is injecting its certificate in place.
While this is great, giving a level of care for security, it does break the HSTS chain of security and creates what looks like a Man In The Middle attack. This is also true because the Cisco Umbrella software is injecting itself between your computer and the server for certified transport of data.
HSTS – HTTP Strict Transport Security
Domains that have HSTS setup are telling your browser that the domain address requires an HTTPS connection, and the certificate is explicitly assigned for that domain and must adhere to the high level of Certificate Authority (CA).
The issue here is that the Cisco Umbrella is breaking this chain of the protocol expected with a certificate that does not adhere to the level of certificate authority expected.
The browser is vital in ensuring that you have a secure connection and is looking at this pinned domain and is following the rules to connect.
- Firefox, Safari, Edge, and Chrome for Mac do not allow a user to bypass.
- Chrome for Windows will allow a bypass.
- Internet Explorer does not even understand this, so it will not error while allowing the less secure connection.
So what can you do?
1. Change Browsers
Use Chrome for Windows and bypass the blocked page or use Internet Explorer
You can use a VPN to connect to the sites you are attempting to use. The VPN provides a secure tunnel through a network and is particularly handy for places like coffee shops that typically do not have a secure internet connection.
- use the OpenVPN connection method as outlined at https://nordvpn.com/tutorials/windows-10/openvpn/.
- allow custom DNS under Advanced settings. Set DNS to 220.127.116.11 and 18.104.22.168
Cisco Umbrella for AnyConnect has a long list of incompatible VPNs with some showing workarounds as you can see above.
You can attempt to set up your requested NameServers on your computer or mobile device’s network settings.
How to configure