Intermittent Site not secure on Google.com

[nlinecomputers]

I've got one client on multiple PCs on Chrome or IE that randomly will not open Google. They get Your connection is not private: ERR_CERT_COMMON_NAME_INVALID:

It seems to only happen on Google and not on every visit. All the systems are Windows 7 Pro. They run Chrome without extensions and one guy uses IE. So far three systems are doing this. I can't find a cause. They are running standard WIndows firewalls, which I have reset, the AV is SolarWindsRMM Bitdefender. There is no malware that I can find nor have I been able to reproduce the issue with my own eyes.

 

[Slaters Kustum Machines]

Hmm, are the date and time correct on the machines? Typically this would affect every HTTPS site though and all the time.

 

[nlinecomputers]

Hmm, are the date and time correct on the machines? Typically this would affect every HTTPS site though and all the time.

Time and Date are correct.

 

[glennd]

I've got one client on multiple PCs on Chrome or IE that randomly will not open Google. They get Your connection is not private: ERR_CERT_COMMON_NAME_INVALID:

It seems to only happen on Google and not on every visit. All the systems are Windows 7 Pro. They run Chrome without extensions and one guy uses IE. So far three systems are doing this. I can't find a cause. They are running standard WIndows firewalls, which I have reset, the AV is SolarWindsRMM Bitdefender. There is no malware that I can find nor have I been able to reproduce the issue with my own eyes.

i've been seeing this myself on a few different sites. The page refers to "the website uses HSTS" which one should read more about. I'm on Win 7.

 

[nlinecomputers]

I've seen exactly this on a machine using Eset NOD32, which scans SSL traffic with a man-in-the-middle attack using its own certificates - I believe Bitdefender uses a similar technique.

Turning off SSL traffic scanning fixed it until Eset got their act together. Worth a try?

I remember that. This is the BD engine built into SolarWinds RMM. It doesn't have a few of those features that the commercial BD versions have. I can't find any such setting in the SW-RMM dashboard. How would you test to see if this is happening? I've never seen any BD signed certs in place of expected ones.

 

[nlinecomputers]

i've been seeing this myself on a few different sites. The page refers to "the website uses HSTS" which one should read more about. I'm on Win 7.

Are you running SolarWinds' Agent on them?

 

[glennd]

Are you running SolarWinds' Agent on them?

no

 

[nlinecomputers]

Bitdefender?

 

[glennd]

Bitdefender?

i just tried it on a win8 machine and got the same results. the site in question is not google and the 3 machines don't have a lot in common. 1) win 7, emsisoft, 2) win 7, msse, 3) win 8, emsisoft. I'm not sure my problem is the same as yours but it is a coincidence that this error has started popping up about the place.

 

[glennd]

Quick and dirty: Uninstall BD and see what happens.

Analytical: From Chrome, hit F12 to bring up the Developer Tools window then select the Security tab (usually hidden behind ">>"). Now you'll have more information than you can shake a stick at!

"The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (AES_128_CBC with HMAC-SHA1)."

 

[GTP]

I had this happen a few days ago in IE. Turning off SSL 2.0 and SSL 3.0 and turning on TLS 1.1 and TLS 1.2 (don't turn on TLS 1.0!) solved it.
Haven't seen the error in Chrome yet.

 

[glennd]

"Access to this website has been disabled by an order of the Federal Court of Australia because it infringes or facilitates the infringement of copyright."
Yeah, I don't think this is @nlinecomputers 's problem...

 

[nlinecomputers]

Quick and dirty: Uninstall BD and see what happens.

Sure I can do that but it happens too intermittently and I don't always hear from the end user when it does. Really don't want to leave them open that long.

Analytical: From Chrome, hit F12 to bring up the Developer Tools window then select the Security tab (usually hidden behind ">>"). Now you'll have more information than you can shake a stick at!

Yes, Thanks, I know about that. See above about end users not reporting it AS it happens and I was referring to perhaps a known service running that I could see. Something that is known to slip into the SSL stack. I really hate this kind of virus protection(assuming that is the issue here) as it circumvents a perfectly working system.

 

[nlinecomputers]

I had this happen a few days ago in IE. Turning off SSL 2.0 and SSL 3.0 and turning on TLS 1.1 and TLS 1.2 (don't turn on TLS 1.0!) solved it.
Haven't seen the error in Chrome yet.

That is the default settings except for TLS 1.0 and google isn't using that. It's TLS 1.2

 

[GTP]

Is Chrome using some weird proxy settings? Have you set the proxy settings to default?

 

[GTP]

Not sure if this is relevant but there is a mention of SSL errors.
May steer you in the right direction?

"Another issue I'm getting is sometimes users will get a HSTS SSL cert error trying to browse to certain sites (Twitter mostly)................"

https://support.solarwindsmsp.com/portal/answers?id=90650000000TlqWAAS

 

[ComputerRepairTech]

Something with the router perhaps?

 

[nlinecomputers]

That's always the problem with intermittent stuff - it's much easier to fix things if you can see them going wrong.

You're going to have to convince your client that you can only fix this if they call you immediately they see the failure and do nothing else until they speak to you. Anything else is just guesswork.

You didn't mention how frequently it fails - once every dozen pages, twice a day, or every other Thursday? If the issue is really bad then you might even want to suggest that they allocate someone to hammering away on a known-faulty machine until the problem occurs. Then you jump in (remotely or in person), diagnose the fault, fix it, and you're home in time for tea and medals.

Not sure on that either. Every complaint I've gotten has been after the fact and as a "by the way...." I have requested of the owner that he instructs everyone to call me the next time it happens so that I can remote in and look at it. But you know how that goes. It is happening enough that I get complaints but not enough for them to stop and call.

 

[mr m]

Sure I can do that but it happens too intermittently and I don't always hear from the end user when it does. Really don't want to leave them open that long.

How about installing MSE temporarily? You'll get your answer soon enough and they will have adequate protection in the interim.

 

[nlinecomputers]

Ok, finally had someone there CALL me while the issue was happening. They were trying to open google.com but the certificate that was fetched was for weather.com and the end user has never visited that site.