Your connection is not secure ... This site uses HTTP Strict Transport Security (HSTS) ... Firefox shows the certificate only PEM encoded
When there is an error during TLS handshake and the site uses HSTS Firefox shows the server's certificate from the TLS handshake only PEM encoded and I have to use additional tools to decode it and see what is going on.
Why does not Firefox show the certificate in a human-readable form? It already has a code to present certificates that way.
Am I missing something or is the PEM encoded certificate really the only form accessible?
--- Example:
Access to Google's web cache was blocked by Cisco Umbrella. The faked certificate required for redirection to a block page was rejected in Firefox and the certificate was shown only in PEM format:
Your connection is not secure
The owner of webcache.googleusercontent.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.
...
webcache.googleusercontent.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER
...
Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: true
Certificate chain:
BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIEW6HOoTANBgkqhkiG9w0BAQsFADBAMS4wLAYDVQQDDCVD aXNjbyBVbWJyZWxsYSBTZWNvbmRhcnkgU3ViQ0EgZnJhLVNHMQ4wDAYDVQQKDAVD aXNjbzAeFw0xODA5MTcwNDM5MTdaFw0xODA5MjIwNDM5MTdaMHsxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRYwFAYDVQQKDA1PcGVuRE5TLCBJbmMuMScwJQYDVQQDDB53ZWJjYWNoZS5nb29n bGV1c2VyY29udGVudC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQD0TX5IY2Xi2N7PeTFn8stAdxqBFuJ5bZB6O1ALVS11+gbmy8nEfbP/aja/g+8B R3f/JB8JaY8+O68t3oTC1Vbn0pvuvvk5vMufoPP62PcVugsI3RdeB12RVFoG+QaO ZcErUwGRR5aH25lrGE+gXa6Np0ExQBjAV4ZDoqLB6ZgBeB4816CV1NPySsXHwVFx 3h2hm25LJ+ZoL1X4hezMHvwzf9CAUorH+qanduzw5lCu60S1fk9oLUk6hpSoMV0q fXq9n4p+9VRp67yXmUwPM9g+KsSa/WAuh56bugvj5LsBK5mL/btUBRpgD/+zx2cR zB+tt4itAHnMDDqTodvDsj3tAgMBAAGjLTArMCkGA1UdEQQiMCCCHndlYmNhY2hl Lmdvb2dsZXVzZXJjb250ZW50LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA07a+29pT U7DtxDySJeU6jyVc6DCR0VAz3VZ8gj/750hw40cIXLND6XriYcO669bjOjtPwKE4 B8hJAsCEABnlVi1bgUnDYw2oFk+ZfVso0a/bHynjF4TSUmAoocxOjU6nQe5CixIF zYeqCTOs51qIW7SRaGdxD0TFnJY5o8guz3/aYgBnorcJ12q4+arNHjFRmrjh0q/j 9iItYR+CkWQigcSne4T295DataQNORkMDpCqLiQSsw8su+tqjVRyTtzVuDUQuesH 797EXZyHhXEQnjSI/tJof1M5Qgs0/HT0eCHvXG2cl+vFba9cYQSeYlGLjFpkNAWs 1SdvpLrw1k1ojQ==
END CERTIFICATE-----
BEGIN CERTIFICATE-----
MIID3DCCAsSgAwIBAgIQfFUmaREoTviv9wVXxFf5MDANBgkqhkiG9w0BAQsFADA3 MSUwIwYDVQQDDBxDaXNjbyBVbWJyZWxsYSBQcmltYXJ5IFN1YkNBMQ4wDAYDVQQK DAVDaXNjbzAeFw0xODA5MTcxOTM5NDdaFw0xODA5MjgxOTM5NDdaMEAxLjAsBgNV BAMMJUNpc2NvIFVtYnJlbGxhIFNlY29uZGFyeSBTdWJDQSBmcmEtU0cxDjAMBgNV BAoMBUNpc2NvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9E1+SGNl 4tjez3kxZ/LLQHcagRbieW2QejtQC1UtdfoG5svJxH2z/2o2v4PvAUd3/yQfCWmP PjuvLd6EwtVW59Kb7r75ObzLn6Dz+tj3FboLCN0XXgddkVRaBvkGjmXBK1MBkUeW h9uZaxhPoF2ujadBMUAYwFeGQ6KiwemYAXgePNegldTT8krFx8FRcd4doZtuSyfm aC9V+IXszB78M3/QgFKKx/qmp3bs8OZQrutEtX5PaC1JOoaUqDFdKn16vZ+KfvVU aeu8l5lMDzPYPirEmv1gLoeem7oL4+S7ASuZi/27VAUaYA//s8dnEcwfrbeIrQB5 zAw6k6Hbw7I97QIDAQABo4HaMIHXMB8GA1UdIwQYMBaAFDdBmFo9IC5nyg0yyyfJ 4MXtup/pMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1Ud DgQWBBSBis+lMcwbHfWJiscPE9K4PvXpeTBxBggrBgEFBQcBAQRlMGMwIwYIKwYB BQUHMAGGF2h0dHA6Ly9vY3NwLm9wZW5kbnMuY29tMDwGCCsGAQUFBzAChjBodHRw Oi8vY2FjZXJ0cy5vcGVuZG5zLmNvbS80NDg2M0FCMTU0NjQ1OEQ3Mi5jcnQwDQYJ KoZIhvcNAQELBQADggEBACFLQR9MK/TNZfDIAzII+hfkM5v9cjmb7REHCsK+sr/w /Lxt95T65RvqMMLa/DmN4jjRK9nBPIeVeHoupUbY2wygAG8tyurjCBLSV+Oc4PnW PqQ0/u2na8M4GUSgtjFjxgkhwsSAt/O6KINNJs5jMsxTW0X+Y1l1WHcGOWahQOtp dt7LBdsrNOiclihcOWW0Pf9yLo15g+8hMJcQD7g+iTCe2aXi+IKm1+vvAil8ui9Y 4WJv+pxQgbHodbQ4R4OOf8P30OOQtY3MsVpqZKB1eLF+ef7EMSAuzov+Lr57EGc4 6Tf5Ja2rz7eD2e9HwyQfYZKoSoQ7x4w8Nyl52LD1VkI=
END CERTIFICATE-----
BEGIN CERTIFICATE-----
MIIEgTCCA2mgAwIBAgIJBEhjqxVGRY1yMA0GCSqGSIb3DQEBCwUAMDExDjAMBgNV BAoTBUNpc2NvMR8wHQYDVQQDExZDaXNjbyBVbWJyZWxsYSBSb290IENBMB4XDTE2 MDYyODE1NDAxMVoXDTIxMDYyODE1NDAxMVowNzElMCMGA1UEAwwcQ2lzY28gVW1i cmVsbGEgUHJpbWFyeSBTdWJDQTEOMAwGA1UECgwFQ2lzY28wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCvR/Tm+U0VahUptIKAkU7BwSKgO1HO0CMdZXCO OLFh9+pCoG1Ly7UiudFAumlfA4kzs1SS9xR2ax0TYIQG84hJsoOPSaZU6wkWWJDq mZVD4+LSPZLUuMWbgWy8/BuqKKL32JjInU/LRXF3AaapHT6eprR5vv5MYSWzFv4r QzhMXy8i8eK48EKsQyf3UBUHdUmOQFBYuRkYlKdave0ipxjMUYKh6DwJX+5psl7S lwHxzKxppwBqZhI5GiuWIs4RhuB+1hOr1zuAb9Oy8WNryXTijXQJ+thl74oo0CoV XS2nZQyDk1X2CUOpTy2Kj4W4ucd4Y1jRp37FkWQwivWq5DU5AgMBAAGjggGUMIIB kDAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBATBSBgNVHSAESzBJ MEcGCisGAQQBCRUBHQAwOTA3BggrBgEFBQcCARYraHR0cDovL3d3dy5jaXNjby5j b20vc2VjdXJpdHkvcGtpL3BvbGljaWVzLzAdBgNVHQ4EFgQUN0GYWj0gLmfKDTLL J8ngxe26n+kwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3d3dy5jaXNjby5jb20v c2VjdXJpdHkvcGtpL2NybC9jaXNjb3VtYnJlbGxhcm9vdC5jcmwwgYcGCCsGAQUF BwEBBHsweTBJBggrBgEFBQcwAoY9aHR0cDovL3d3dy5jaXNjby5jb20vc2VjdXJp dHkvcGtpL2NlcnRzL2Npc2NvdW1icmVsbGFyb290LmNlcjAsBggrBgEFBQcwAYYg aHR0cDovL3BraWN2cy5jaXNjby5jb20vcGtpL29jc3AwHwYDVR0jBBgwFoAUQ3MA 3iS6QBpAVCx9fNUASIkMcKQwDQYJKoZIhvcNAQELBQADggEBAAhlqdX9AAHOyNPv KA44ulyoprNnXp62XeYnlKRgCPvShWW2eDIMOePS8+RvuPGJdtAm1YoPa9hn0WO2 L+jHmnob7so2yc3c02uio9Q4VqPCuA1T/RmmXerpvHtxx1FfUhboBoiGvP/dnFTX DF0lzLEllP3tYZOH0wjsTjhPERN60zR29lKHludW9ZRc5Fkxj5ZwALvAZ2Iqb0HG DwIhJJjXUpJjZXQPRGQ8N+VDx2UqTf74g/rpKcALUERGFrrJMO0Z7yaiqVsVQ9/J 4FAJCjB6fkivL5SvmDWCB1ZeiRc2ud5qm/II0OuGdtX+mo0/Lo9Lh9Tdg2LxUxEn 7cAtMK0=
END CERTIFICATE-----
All Replies (3)
The the issuer of the certificate is OpenDNS
- Common Name (CN) webcache.googleusercontent.com
- Organization (O) OpenDNS, Inc.
If you use (or want to use) this service then check their FAQs to see how you can make this work with Firefox.
You can install the Cisco Umbrella Root CA in the Firefox Certificate Manager and set the trust bit for websites when prompted.
- Issuer O=Cisco, CN=Cisco Umbrella Root CA*
See:
That encoding might be the format in which Firefox receives the certificate; I really have no idea.
I agree it would be preferable to show it in a human readable form, and I don't know why it isn't. I wonder whether there is some concern that malicious code could be generated that way??
cor-el said
The the issuer of the certificate is OpenDNS ...
The certificate was just an example and I already identified it as belonging to Cisco Umbrella which uses OpenDNS certificates. My question was if I have to use and external tool to see the certificate and be able to identify it. But thank you anyway.
Modified