Private Connection? Cisco Umbrella in the Middle

Share if you would...

Approx. 2 minute read

You might have seen this with reputable websites, and it looks like the certificate is not valid, which is true, and, yet, not true.

Let me explain…

Your connection is not private. The browser will complain if the certificate does not match the authority of a HSTS pinned domain.

I have seen reports of this happening with the following websites

  • nordvpn.com
  • wikipedia.com
  • vinoshipper.com

When you click on the Browser security shortcut to look at the security certificate, you likely will see that the failure is the Cisco Umbrella Root CA with a reason stating that the “Cisco Umbrella Root CA” certificate is not trusted. The Cisco Umbrella Root CA does not have the authority required with HSTS pinned domains.

Cisco Umbrella Root CA

Cisco Umbrella Root CA -> a certificate authority created by Cisco Umbrella

"Cisco Umbrella Root CA" certificate is not trusted
NordVPN got a special certificate assigned by Cisco Umbrella

Cisco Umbrella is an OpenDNS service that is attempting to protect you and your network from shady websites. Doing so, it is injecting its certificate in place.

While this is great, giving a level of care for security, it does break the HSTS chain of security and creates what looks like a Man In The Middle attack. This is also true because the Cisco Umbrella software is injecting itself between your computer and the server for certified transport of data.

HSTS

HSTS – HTTP Strict Transport Security

Domains that have HSTS setup are telling your browser that the domain address requires an HTTPS connection, and the certificate is explicitly assigned for that domain and must adhere to the high level of Certificate Authority (CA).

The issue here is that the Cisco Umbrella is breaking this chain of the protocol expected with a certificate that does not adhere to the level of certificate authority expected.

The Browser

The browser is vital in ensuring that you have a secure connection and is looking at this pinned domain and is following the rules to connect.

  • Firefox, Safari, Edge, and Chrome for Mac do not allow a user to bypass.
  • Chrome for Windows will allow a bypass.
  • Internet Explorer does not even understand this, so it will not error while allowing the less secure connection.

So what can you do?

Some Solutions.

1. Change Browsers

Use Chrome for Windows and bypass the blocked page or use Internet Explorer

2. VPN

You can use a VPN to connect to the sites you are attempting to use. The VPN provides a secure tunnel through a network and is particularly handy for places like coffee shops that typically do not have a secure internet connection.

Cisco Umbrella for AnyConnect has a long list of incompatible VPNs with some showing workarounds as you can see above.

3. NameServers

You can attempt to set up your requested NameServers on your computer or mobile device’s network settings.

  • 8.8.8.8
  • 8.8.4.4
  • 208.67.220.220
  • 208.67.222.222

How to configure

4. Install a Cisco Umbrella Root CA

Share if you would...