Users of Google Chrome browser are facing trouble visiting HTTPS websites, if a Sophos firewall is used. The browser shows certificate warnings and saying, the the communication isn’t private.
I was notified via this tweet from Hans-Peter Holzer about this topic. He pointed out, that Chromium 58 browser won’t accept certificats (CAs), if a Sophos firewall is installed (which is the case within his environment).
Great! @googlechrome 58 now distrusting all #MITM #proxy CA. Cert pinning? Breaking corporate environments using @SophosSupport #UTM etc. pic.twitter.com/i6T4zAyaIs
— Hanspeter Holzer (@HanspeterHolzer) 20. April 2017
If a user visits a website via https, the following certificate warning will be shown within Chromium.
This bus is reported since March 2017 here. The answer from Sophos support is straight: Use another browser or deactivate HTTPS scanning in Sophos firewall.
@HanspeterHolzer @googlechrome @etguenni @golem @heisec Hi At the moment the Work around is to disable HTTPS scanning or Use another Web Browser .^ ap
— Sophos Support (@SophosSupport) 20. April 2017
Sophos has published a short explanation, why this happens. This incident shows another time, that third party vendors shall not inspect https communication – we have seen many cases, wher TLS interceptions has weakened https or systems. US-CERT has issued last March an alert HTTPS Interception Weakens TLS Security.