Chrome on Mac returns ERR_SSL_PROTOCOL_ERROR for any 1password.com urls

blinnro
blinnro
Community Member

When I try to access any 1password urls on Macbook Pro (OSX 10.11.6) Chrome (74.0.3729.169), including my vault and the main website, I see

This site can’t provide a secure connection 1password.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

Same at home and work. No problem for coworker on work network. No problem on iPhone Chrome on work network.

Work IT staff poked around and then recommended I contact you for troubleshooting tips.


1Password Version: Not Provided
Extension Version: 1.15.2
OS Version: OSX 10.11.6
Sync Type: Not Provided
Referrer: forum-search:SSL protocol error chrome

Comments

  • Hi @blinnro,

    Can you please check that the date, time, and timezone are set correctly on your Mac? SSL is sensitive to issues with time, and so it is important that the time be pretty close to exact. You can reference https://time.is/

    Ben

  • blinnro
    blinnro
    Community Member

    Hi! Thanks for the suggestion. I did check and date/time/zone are set correctly (+/- 0.015s).

  • @blinnro

    Thanks for checking. Are you using a proxy server or VPN to connect to the internet on this Mac?
    Do you have any firewall, anti-virus, or "internet security" software installed?

    Ben

  • blinnro
    blinnro
    Community Member

    I'm checking with the IT folks about proxies, VPN, and firewall. I don't think this mac is using any of those. I do know our school district uses lightspeed web filtering and there is a program called "Sophos Anti-Virus" installed on my machine.
    Thanks,
    Christopher

  • I suspect the filtering is the problem. Looking at Lightspeed's website one of the things they advertise is "decrypt SSL without proxy." That will most likely interfere with the ability to establish a secure connection to 1Password.

    Ben

  • blinnro
    blinnro
    Community Member

    Ok, Thanks! I'll take that back to the IT folks and see what they can do.

  • Great. Please let us know what you find out. It would be good to know if there is indeed some sort of incompatibility with Lightspeed, and if so if there are any options to remedy that.

    Ben

  • blinnro
    blinnro
    Community Member

    Our network administrator changed local lightspeed settings to allow all connections to 1password.com URLs. That seems to have done the trick. I guess the only thing I'm left wondering is why the Chrome error didn't show the LightSpeed filter page, but that' is outside the scope of this ticket for my purposes.
    Thanks for the help!
    Christopher

  • Thanks for the update. Good to know that Lightspeed was indeed the cause and that there is a way to work around it. If there is anything else we can do, please don't hesitate to contact us.

    Ben

  • gazu
    gazu
    Community Member

    @blinnro

    I guess the only thing I'm left wondering is why the Chrome error didn't show the LightSpeed filter page

    1Password have Strict Transport Security (including forced SSL) enabled on their servers which means rogue connections will be terminated prematurely.

    By doing this it stops an attacker receiving any information whereas corporate SSL intercept systems normally just replace the certificate with one of their own meaning most unfiltered webpages will still appear but the administrator can see everything. 1Password's solution stops the administrator seeing anything other than a failed connection.

    You'll only see the LightSpeed alert page when there's an arbitrary failure (e.g. specific blocked content).

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed, a popular attack on TLS is to negotiate a downgrade to a lower version or SSL which has vulnerabilities that can be exploited. So to avoid a whole class of person-in-the-middle attacks against 1Password users, we reject those connections instead of falling prey to that. If 1Password can't be used securely (i.e. on an unsafe network decrypting your traffic, or a public computer that someone else controls) it should not be used at all.

This discussion has been closed.