x509: certificate signed by unknown authority

thorhs
thorhs
Community Member

I am behind a firewall that Man-In-The-Middle decrypts all TLS traffic for scanning purposes. It is working in most, if not all, programs on my Mac, but 'op' fails with the following error:

[LOG] 2017/09/22 15:14:04 (ERROR) Get https://XXX.1password.com/api/v1/auth/XXXX@XXXX/XXXXXXXXXXXXXX/-: x509: certificate signed by unknown authority

Where can I place my MitM CA cert, so I can try out this new tool.


1Password Version: cli 0.1.1
Extension Version: Not Provided
OS Version: 10.12.6
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited September 2017

    @thorhs: Yep. That's the problem. 1Password.com will reject connections that cannot be established with end-to-end encryption. That's just not something that we're going to change, as it weakens security for all users. If you can set an exception in your "security" software that's performing a person-in-the-middle attack on what should be a direct, private connection between you and the server, that should help not only alleviate the problem, but also the security and privacy risk of allowing a third party access to your (in)secure communications. But a better option would be to disable that "feature" completely, as it has the same negative impact on any communications that are meant to be secure.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @thors, I concur with @brenty. One approach is talk to whoever administers the firewall to ask them to whitelist 1password.com.

    Better still would be to get them to stop undermining the security architecture of the Internet in general. More and more systems will be working like 1Password and insisting on stricter transport security, so the days of such MitM attacks is numbered anyway. I've seen enough of these that I shouldn't be shocked and amazed, but I still am shocked and amazed that some tools – like the one running on your network – are sold as "security" tools despite the fact that they break a huge portion of what is supposed to keep people safe.

    OK, enough ranting from me. As benty said, our systems cannot distinguish between a benign and a malign MitM attack. And we configure our systems with the best resistance to MitM attacks available and so there is nothing we can really do at our end.

    Anyway, without knowing the fine details of how network security is deliberately broken on your local network, I can't offer a specific advice on how you can further break it to trick 1password into accepting a MitM attack. (Ok, I guess I didn't stop ranting. But I insist that the words "break" and "broken" in this paragraph are exactly the right words.)

    Anyway, most of the tools that do what you describe offer a white listing facility. That is going to be the easiest approach.

This discussion has been closed.