Work computer shows “This connection is not private” warning on almost all sites


My workplace allows me to use a Mac, but doesn't have much experience with them; their support is minimal if well intentioned, and generally as much harm as help. This includes installing antivirus software etc.

Recently, both Safari and Chrome have started showing the "This connection is not private" error with most off-site URLs. This is a recent change, and includes web sites I was able to access last week. I'm running MacOS 10.14.6 (18G87) with all updates.

This isn't a question of our IT deliberately blocking sites, as I can access them from my Windows computer (and in any case it includes sites that are clearly work-related).

In some cases, but not all, I'm able to bypass the warning by following the accepted answer for How do I bypass "this connection is not private" warnings in safari? (i.e. clicking through the "show details" buttons and entering my password), but this doesn't always work, and is pretty inconvenient besides.

I've also tried the other answers from that question, but these do not work. This is perhaps not surprising as that question refers to development work which involves self-generated SSL certificates, and my situation doesn't involve these.

I've also tried turning off antivirus software (insert scare quotes as you like), and that didn't help.

Note: When I look at the certificates on the problematic sites, I see the site's certificate but it's underneath a certificate issued by my workplace, and the browser shows my workplace's certificate as "Untrusted". I don't know how certificates work, but I'm guessing this is the problem and what I need to do is somehow make my browsers trust my workplace's certificates.

Any suggestions for working around this problem?

Best Answer

This is not a purely Apple-related question, but it's worth to reply.

TL;DR: You should go to your company's IT Security Department immediately because the certificates that encrypt your web traffic can be compromised.

Long story, your company uses a kind of proxy called "Transparent proxy" for SSL traffic. This consists of a proxy that the user doesn't have to authenticate or configure him/herself, with the addition of a SSL certificate issued by your company that replaces all the HTTPS certificates of the servers you are trying to connect to.

This is, effectively, considered as a Self-Signed certificate by your browser, and is actually making your company able to decrypt and inspect all your web traffic (TIP: stop facebooking at work =) ) . As "out-of-the-box" web browsers do not distinguish between these IT configurations from proper, evil man in the middle attacks, they present you such a warning.

In order to get rid of the warning, the companies' IT Departments install their Certification Authority Certificate, or "certificate issuer's" Certificate, in the computers' KeyChain. Secondly, they mark the CA certificates as ultimately trusted system-wide, so that the browsers recongise that situation as expected when they validate the SSL proxy certificate.

So, if you got back that warning it is because that trust chain of certificate validation initially set up by your company is, somehow, broken. From best to worst scenario, it can be because:

  • Your company's proxy certificate has expired and they have to replace it
  • Your computer has lost the CA certificate of your company, or it has expired, and they have to install a new one. Or a maintenance task just lost the trust settings for the certificate.

For these two above, better to check with IT for them to review all the settings. Do not take the risk of changing that trust yourself, as it would make you accountable if something further breaks... and you don't want to be accountable for a security breach.

Worse scenarios:

  • Your company proxy has been hacked and the certificate has been replaced by an adversary's certificate.
  • Your company traffic is proxied through another (an adversary's) proxy, that is to say, you are suffering a (very clumsy) Man in The Middle Attack

Normally, in these kind of attacks, the computers have to be malware-infected for that malware to install the adversary CA into the KeyChain; otherwise all the computers would issue such a warning.