Strange Unsecure Connection Issues with Websites

Peepnbrick · October 18, 2021

I'm helping some family members (who live across the country) with a problem they're having. Unfortunately, this limits the amount of testing I can do, but I'm curious if this rings any bells for anybody:

Two of the computers in their house suddenly started getting the "Your connection is not secure" error when connecting to certain websites - one was email, one was their healthcare provider's website, and another was just the website for a baseball team (so no strong pattern there). Other websites work fine. This happens in both Chrome and Safari. The interesting thing is that other computers in their house work just fine connecting to these websites.

Their macOS is up to date, and they tried reinstalling Chrome, but the problem persists. I haven't been able to get them to try using the problematic computers on a different network, but that would definitely be good to test.

The interesting part is that they called their ISP (which, they informed me, is a very localized ISP - like, they have an ISP for their town and not something like Fios or Xfinity), and the ISP said that other people in town were reporting similar issues and that - and this is where the details start to get a little fuzzy through this game of telephone we're playing - the ISP had neglected to renew some sort of license, and that they were working on it. The tech support from the ISP just advised overriding the unsecure connection warning in the meantime.

This one's got me a little stumped. I'm no networking expert, but what role does the ISP play in the TLS handshake? Is it possible that the ISP could be screwing things up here? One thought I had is that (again - limited knowledge here), but maybe the list of credible certificate authorities on those computers got screwed up, so they are having trouble validating websites coming from those CA's? I'm assuming updating macOS would probably solve that?

Eigenvektor · October 18, 2021

The ISP should have nothing at all to do with the TLS handshake, unless they're doing things they shouldn't. For example terminate the SSL connection, then re-encrypt and sign it with their own SSL certificate. That would require your PC to trust their CA certificate. That would be a big security no-no.

The most likely issue is as you said, the list of trusted CA certificates on the devices is outdated, corrupted or otherwise dysfunctional. An OS update should fix that, provided we are talking about a version of macOS that is still actively maintained by Apple.

If you visit one of those websites, try clicking on the lock icon next to the URL. This should open a dialog where you can select "Show certificate". You should see who the CA of the certificate is, as well as a reason why it is not accepted as valid on these machines.

2 hours ago, Peepnbrick said:

The tech support from the ISP just advised overriding the unsecure connection warning in the meantime.

That's not good advice in my opinion. It's probably fine for the website of a baseball team. But for any website where you have to enter credentials, let alone personal information like a health care provider that is very bad advice.

LAwLz · October 18, 2021

As Eigenvektor said, the ISP should play no role in the certificate verification. They should only be transporting that data from your computer to the destination, without making any modifications to it whatsoever. If multiple people using the same ISP are reporting cert issues, that indicates that they are doing modifications they shouldn't be doing.

Things I would check first:

1) Check the time and date on all devices. Inaccurate clocks can result in cert issues.

2) Check the cert that gets refused by the computers and the error message. What reason is given for the invalid cert? Expired? Doesn't match the domain? Self-signed? Trying to force a lower security profile?