Yesterday at work, I was surprised to see my browser balk at the certificate for a Yahoo.com URL. This led me to take a closer look: as earlier with my webmail, the certificate was issued by OpenDNS, the certifying authority was Cisco Umbrella. I checked with the network guys, and indeed Cisco Umbrella is doing some special handling with URLs not from a set of trusted domains.
I had not seen this particular bit of handling in quite a while. The way that it works apparently is that the firewall emulates a browser with the incoming data, accepting and unencrypting it. If the data is not judged malicious, the firewall passes it back along to the PC's browser. But in order to do so it must provide its own certificates, hence OpenDNS, certified by Cisco Umbrella.
I don't know that this is better than a simple block. Google Chrome gives explicit warnings about expired or bad certificates, and can be configured to refuse a connection to servers with bad certificates. At work, it is so configured.
I was wrong, therefore, to blame my ISP for my PC's refusal to connect to webmail this weekend.
No comments:
Post a Comment