Certificate Security Error Bypass

Ruler2112

Part of my job is managing our phone system at work. I routinely access the phone's GUI both at work and at home. Vivaldi is the browser I primarily use in both locations.

Every time, every single time I log into a phone, I'm greeted with a security warning: "Your connection is not private Attackers might be trying to steal your information from <ip> (for example, passwords, messages, or credit cards)." Guess what? They aren't.

To say that this has gotten old is an understatement. I've upgraded the firmware of well over a hundred phones with more to come. I've been forced to click Advanced->Proceed to Site / Unsafe twice for each and every one of them. (Upgrading firmware is a boring & tedious enough job without the browser adding to it.) When someone has an issue that's phone-related rather than on the PBX itself, I need to click through the security warning. Even if I just need to reboot a phone, I need to click through this security warning. Doesn't matter that I've clicked through it 50 times on the same IP already - I'm forced to click through it yet again.

The site settings have an option for 'Insecure content' with the default being to block. Changing this to allow does absolutely nothing, despite it sounding like it should.

After searching, it appears that there used to be an option to disable warnings about certificate errors, but that this was removed by Chromium. (Because why not annoy our users? Also, let's get them used to clicking through continual warnings all the time so that when a warning about something serious pops up, they're more likely to simply ignore it and just click through - that's a GREAT idea! )

Typing 'thisisunsafe' at the warning screen bypasses it, so I wrote a bookmarklet to use javascript to type this in for me - not exactly an elegant solution, but it'd halve the number of clicks & eliminate repositioning the mouse entirely. Unfortunately, this doesn't work... whether it's blocked because of the security in the browser or if I'm doing something wrong in the bookmarklet, I don't know. All I've been able to get is the bookmarklet JavaScript code in the address bar when I click on it - nothing at all happens on the page. I've tried both keypress and keydown/keyup to simulate keystrokes & both document and window as the objects to dispatch the events to - nothing works.

The phones are made by Polycom with certificates that are valid until October of 2030. The certificates are part of the phone's firmware & I have 0 control or influence over it. Seeing as the error is an invalid certificate signing authority ('NET::ERR_CERT_AUTHORITY_INVALID' for those searching), I exported the certificate it was complaining about (Polycom Equipment Issuing CA 2) to a file, saved it with a crt extension in /usr/local/share/ca-certificates , and ran update-ca-certificates as root - it imported the certificate into the OS. When this proved ineffective, I repeated this for the other two Polycom non-MAC specific certificates, but next time I went to a phone, the same warning came up yet again... (I'm nowhere near good enough with the intricate details of certificates to know how to figure out what's going on.)

The phones only respond to encrypted requests (https on port 443) and not plain (http on port 80). Digging through the settings on a phone does not reveal anything to change this and I've not investigated to see whether it's possible to override this when the phone is provisioned from our PBX server, but would honestly rather not.

Another option that I'd rather not go with is setting up a standalone version of a different (older) browser that supports the --ignore-certificate-errors flag and use this browser specifically for phone administration. This would be clunky to say the least and absolutely not a great solution, but it would likely get rid of the nag screen.

My last idea to work around this is to write a ViolentMonkey / TamperMonkey script to advance past the warning automatically, but I've never written a single monkey script in my life & am not the greatest when it comes to JavaScript to begin with.

Allow me to repeat one set of facts for those who are certain to chime in about how disabling this screen is a horrible idea: There is absolutely 0 chance that removing this screen will cause a security problem. Every phone has been factory reset while not connected to any network by using a power brick instead of PoE. The first thing done when it is put on our network is a firmware upgrade from a local provisioning server I set up myself with firmware direct from Polycom. Plus, I'm just going to override it manually anyway. This screen that I want to bypass is strictly 100% annoyance - nothing more.

Does anyone know of or have an automated way to bypass this screen?

.

Since all these phones are confined to a single VLAN on our network, I know what subnet they are going to be in. I would like to propose a setting in Vivaldi to simply disable specific types of certificate security warnings for IP ranges the user specifies. There could be a checkbox integrated into the screen to proceed to the site 'Don't ask me again for this site' to add the site or IP you're on with a /32 mask to this list for the specific certificate error type encountered.

DoctorG

@Ruler2112 Try to import CA cert with certutil

certutil -d sql:$HOME/.pki/nssdb -A -t "TCu,Cu,Tu" -n "Polycom CA" -i Polycom-CA-certificate.pem

polycom CA certs at http://pki.polycom.com/pki/

Ruler2112

No-go @DoctorG ... installed libnss3-tools to get the certutil utility & tried the Polycom Root CA.crt file from the site you linked & got the folllowing:

Notice: Trust flag u is set automatically if the private key is present.
certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.

.
Exported the root polycom certificate from a phone and imported it - only the notice popped up:

Notice: Trust flag u is set automatically if the private key is present.

.
Unfortunately, it had no impact on the warning screen popping up, either when reloading a phone's GUI or when visiting a different phone.

Ruler2112

Found that the crt file from Polycom's site is binary, so poked around and used

openssl x509 -in Polycom\ Root\ CA.crt -out PolycomCA.pem

to convert it. Imported that using the certutil command and still got the same message:

Notice: Trust flag u is set automatically if the private key is present.
certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.

.
Exported the Polycom Equipment Issuing CA 2 certificate from a phone & certutil imported it with no notice or warnings, but it also had no effect on the nag screen in Vivaldi. (Does it really have to be this complex???)

Ruler2112

Maybe I spoke too soon... just noticed that the error code changed since I imported the certificate from the phone.

Attackers might be trying to steal your information from <ip> (for example, passwords, messages, or credit cards). Learn more about this warning
NET::ERR_CERT_COMMON_NAME_INVALID
Back to safetyHide advanced
This server could not prove that it is <ip>; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

Proceed to <ip> (unsafe)

Still have to click the same things, but the error code changing would indicate that it's no longer offended that the signing authority isn't trusted. (Maybe??? Like I said, I'm not great with the intricacies of certificates... I'm good enough to self-sign some for our own use, but that's about it.) Unfortunately, all I've found when searching is basic stuff like reloading the site or click through as I have been.

Still feel that the feature I described would be a useful feature for Vivaldi.

Pathduck

@Ruler2112 IP addresses will never have valid CNs, unless you specify the IPs in the SAN field, which is kind of a non-standard way of doing things but I guess acceptable inside an organization.

https://csrc.nist.gov/glossary/term/subject_alternative_name
https://www.entrust.com/blog/2019/03/what-is-a-san-and-how-is-it-used
https://comodosslstore.com/resources/how-to-secure-multiple-ip-addresses-with-a-san-ssl-certificate/

Your certificate(s) will need to contain the IP(s) in the SAN field.
Note also that modern browsers will ignore the value of the CN if the SAN fields exist.

Possible workaround here:
https://superuser.com/a/1036062
But make sure to fully understand the warning given there since this will affect all sites when the flag is active.

Launching Vivaldi with this argument worked when testing at:
https://wrong.host.badssl.com

Ruler2112

I'll have to do some more testing - tried it at work with with --ignore-certificate-errors and it had no effect.

This would be a perfect type of thing to create an option for in the browser settings IMO - I'd rather not disable ALL certificate checking, particularly on the internet at large. Just keeping a list of the site or IP range & the type of certificate error to ignore (or 'all') would eliminate the problem in a smooth and elegant way without disabling the security features for non-trusted sites. Vivaldi already allows the user to do so much customization to the browser that frankly, with all the people I've seen complaining about it while doing searches for this, I'm amazed that such a feature doesn't already exist.

DoctorG

@Ruler2112 said in Certificate Security Error Bypass:

Just keeping a list of the site or IP range & the type of certificate error to ignore (or 'all') would eliminate the problem in a smooth and elegant way without disabling the security features for non-trusted sites.

As Vivaldi wants to have a secure browser with real SSL, such exception/override will not be added in near future.

Use Firefox if you need better handling.

Ruler2112

@DoctorG said in Certificate Security Error Bypass:

As Vivaldi wants to have a secure browser with real SSL, such exception/override will not be added in near future.

So the sole option available is to totally disable it everywhere instead of only on trusted sites / IPs? Yeah, that makes sense...

DoctorG

@Ruler2112 A configurable excelption list woruld be nice.
But i do not know a Policy (GPO) for this. I need some investigation. Nothing found.