An SSL error has occurred

Options
Bill_W
Bill_W
Community Member
edited February 2016 in Business and Teams

G'day,
I have changed my login id for teams. When I logged back in (on the new id) I get this pop up - 'An SSL error has occurred and a secure connection to the server cannot be made. Would you like to connect to the server anyway?' I am offered a dismiss option, which appears to stop the process.

I have seen this on both my iPad and MAC. I don't know if it is relevant, but I have had trouble getting onto some of your sites as a result of security issues in the past. I can get onto your sites if I tether my cell phone and use that for the network.

Bill

1Password Version: 6.2.2
Extension Version: Not Provided
OS Version: iOS
Sync Type: Dropbox

Comments

  • ssoroka
    ssoroka
    1Password Alumni
    Options

    Hey Bill,

    Is this your own local network, or an office network?

    Some spam filter or anti-virus software attempt to intercept secure connections, and can cause problems with our website. You could try temporarily disabling these to see if that has any affect.

    If you get the certificate details from our website, you can check the fingerprint of our SSL certificate. Our current certificate has a SHA1 fingerprint of 53 76 A9 CB 26 56 21 D3 B0 78 B9 38 9A 18 4D 80 31 32 04 E0. You can see this by clicking on the lock icon, going to View Certificate, View Details, and scroll to the bottom.

    Let me know if this helps at all.
    Steven

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    G'day @Bill_W,

    I'd just like to add a bit to what @ssoroka has suggested. Something is wrong with the TLS/SSL connection which is probably a consequence of an interaction between

    1. Our very strict adherence to the strongest forms of the protocols
    2. Something happening on your local network

    As Steve mentioned anti-virus or local "security" systems sometimes try to intercept all network traffic, including SSL/TLS traffic. We, of course, try to make sure that nothing is intercepted the traffic between your client and our servers.

    Anyway, please do tell us what you see when you inspect the certificate when trying to connect to your team. The message that you are getting probably offers an option to inspect a certificate. But you can typically do so by clicking on the "lock" in the Location bar and then click on "Show Certificate".

    To make absolutely sure that you are getting the Certificate that is used for individual teams, scroll down in the Certificate Details and look for the "Fingerprint"

    *.1password.com certificate fingerprint

    Cheers,

    -j

  • Bill_W
    Bill_W
    Community Member
    Options

    The issue appears on my home network. I am not sure that AV or Spam is the issue as the symptom is seen on PC and MAC.

    In my mind, the common part is router (Billion 7404) or ISP (Foxtel provided by Telstra (Bigpond)). If you can give any clues on how to test, I would appreciate this.

    When I can get through, the certificates match what you provided above.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    Thanks @Bill_W. Can you let me know what browser you are using? And does it offer to show you more details when you get the report of the SSL error?

  • natelandau
    natelandau
    Community Member
    Options

    I just tried to sign up for a team account from my office and encountered a complete failure of every part of the system due to SSL errors. I used VNC to get into my home network to create the team.

    At work:

    • I can't access the sign-up page
    • Can't access the email confirmation page
    • Can't add the team to my 1Password client

    Additionally, both Chrome and Safari show your pages as complete dead-ends. There's no certificate to inspect in Keychain. Ch

    I recognize that end to end security is important here but this is the first time I've encountered a failure of this nature in my office. I know the site and IPs are not blocked. Is there a workaround for this? The service won't be of much use to me if it breaks within our corporate network. Are there common workarounds?

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited February 2016
    Options

    Hi @natelandau,

    I really am sorry for the trouble that you've encountered, but as you said “end to end security is important here”. Something – almost certainly in your office network – is subverting end-to-end security. The reason that you rarely see this with other sites and services is because we have been especially careful to ensure that end-to-end security is happening as it should.

    Please keep in mind that our system (and your browser) can't distinguish between a benign Man-in-the-Middle, (MitM) attack and a malign one. And someone running a malign MitM could use it to deliver a corrupted version of 1Password to your browser. This is why it is so important for us to prevent them.

    The more we know, the more we can help

    One thing that would help us a great deal is if we knew what sort of security filter your corporate network is using. I believe that if we were to work with them, we should be able to find a solution that meets their needs and our security needs. But at this point, we can only guess what is going on and about what sorts of solutions may or may not be workable. So if you could find a way to involve your corporate IT/Security people in this discussion, that would be a great help. Obviously, I don't want to put you in the middle of any sort of conflict with your employers, but as I said we can't distinguish between benign versus malign MitM attacks. At least not without their help.

    Use the native client instead of the browser

    One possible work-around is to use the web-client through your VPN, but to use the 1Password application itself from your work network. (The native application doesn't depend on TLS security the way that the web app does.) I don't know if that will be satisfactory for you.

    Turn off HSTS in your browser (please don't do this)

    I do not know the nature of the MitM attack your corporate network is using, but from a glance as the screenshot from Safari that you provided, I suspect it is a variant of SSLStrip. In this, they redirect your HTTPS traffic to an HTTP domain, run their filtering/monitoring on that, and then make a proper TLS connection to us. With HSTS, your browser knows that it should only ever connect to start.1password.com using HTTPS and so rejects an HTTP connection.

    I may be entirely wrong that this is an SSLStrip mechanism, but if it is, you can let yourself be subject to such a MitM attack by disabling HSTS for 1password.com in Chrome. (There are ways to do it in Safari, but it is easier in Chrome).

    In Chrome go to chrome://net-internals/#hsts in your Location bar. You will see a page that looks like:

    Chrome HSTS management page

    In the "Query domain" section, put in 1password.com into the Domain field. You should see something like what is above. If you really want to go through with this, then put 1password.com into the "Delete domain" section and click "Delete". That will tell Chrome to forget that it has been told to only use HTTPS when talking to *.1password.com. Then try again.

    Please don't do this

    If that works, I would still like to ask you to try the other options. By doing that, you are letting a MitM attack occur. Even if the people running that attack are well-meaning, it means that your 1Password security will depend on theirs. That is, anyone who gains control of their monitoring/filtering system would be in a position to run a nasty attack against you.

    But if you test this and it does give you a work-around, please let me know. This will help me better understand sorts of well-meaning subversions of TLS are out being used.

This discussion has been closed.