Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Safari can't verify the identity of the website "www.hushmail.com", advice please?

maclad

maclad

macrumors member
Original poster
Nov 5, 2016
59
7
UK
Today when I use by bookmark for Hushmail, Safari says 'Safari can't verify the identity of the website "www.hushmail.com" ' When I click on "Show Certificate" it says "Issued by: Cisco Umbrella Secondary SubCA Ion-SG" Expires: 8 November 2016 etc" and in red "This certificate was signed by an untrusted issuer". My problem is that if this is site is pretending to be Hushmail, and I do nothing for a few days, I am due to give them my password to access my account in a few days time. Note, I get access for a week at a time before having to give my password. Any advice will be gratefully received.

I use hushmail as I can use unlimited alias email addresses and if I get too much spam or a dodgy email, I can delete that alias.
 
I'm not getting that message from your link on Safari under Sierra.

I have seen similar messages on other sites I frequent though, so I think something is up with these certificates. I don't think it is anything evil necessarily, buy maybe a configuration issue somewhere.
 
Thanks Weaselboy.

I just tried Firefox typing in the address myself, and it says says:-

"Your connection is not secure

The owner of www.hushmail.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."
 
maclad said:
Thanks Weaselboy.

I just tried Firefox typing in the address myself, and it says says:-

"Your connection is not secure

The owner of www.hushmail.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."
Click to expand...
Hmmm... odd. I wonder if it is something with your ISP. I can get to the HTTPS version in Safari and Chrome both with no issue.

Screen Shot 2016-11-05 at 12.17.31 PM.png
Screen Shot 2016-11-05 at 12.17.19 PM.png
 
Weaselboy said:
Hmmm... odd. I wonder if it is something with your ISP. I can get to the HTTPS version in Safari and Chrome both with no issue.

View attachment 670460 View attachment 670459
Click to expand...

Thanks, but at the bottom right of your image, it says "Safari can't verify the identity of the webs"

If in Safari, I clicked continue, I assume that I could go onto the website, but am reluctant to do so.
 
Last edited:
WOW hushmail still exists! damn I wonder if my account from like 1999 still works lol.
 
vlug said:
WOW hushmail still exists! damn I wonder if my account from like 1999 still works lol.
Click to expand...

If it was a free account you have to access the account every so often, a week or a month etc, otherwise they close it. I pay for my account and hence get unlimited alias email addresses.
 
If you are sure that you are connecting to the right website (which you probably are because you are using a bookmark) you can just ignore the warning. You might want to contact Hushmail though and ask if they are aware of the issue. They might simply have forgotten to renew their certificate.
 
teidon said:
If you are sure that you are connecting to the right website (which you probably are because you are using a bookmark) you can just ignore the warning. You might want to contact Hushmail though and ask if they are aware of the issue. They might simply have forgotten to renew their certificate.
Click to expand...

Yes Mr G00GLE gives what is supposed to be a free phone number, 1 (877) 533-4874, but it says it is only available on weekdays pacific time.
 
maclad said:
Unless I click continue, I do not see the webpage at all, Safari just shows a dialogue box similar to the attachment in this post:-

https://forums.macrumors.com/threads/safari-cant-verify-the-identity-of-the-website.1924332/
Click to expand...
Sorry to bug-out on you. I got an unexpected visitor.

Just quickly -- in your first post you say "Issued by: Cisco Umbrella Secondary SubCA Ion-SG" Expires: 8 November 2016 etc"

Mine says -- Issued by thawte... expires Oct 2017

Sounds as if you have some type of cache issue going on. They must have renewed their Cert. Try clearing your caches. Have to run.
 
rshrugged said:
Sorry to bug-out on you. I got an unexpected visitor.

Just quickly -- in your first post you say "Issued by: Cisco Umbrella Secondary SubCA Ion-SG" Expires: 8 November 2016 etc"

Mine says -- Issued by thawte... expires Oct 2017

Sounds as if you have some type of cache issue going on. They must have renewed their Cert. Try clearing your caches. Have to run.
Click to expand...

I've cleared the cache in Safari, ie under the Develop menu I've clicked "Empty Caches", and in the Firefox preferences Advanced tab under "Cached Web Content" I've clicked "Clear Now", but I still get the "Safari can't verify the identity of the website etc" and Firefox still says my "Connection is not secure etc" :(

I've looked at Macintosh HD/Library/Caches and there appears to be 700 KB total in 11 items, and apart from Epsom they are all named "com.apple." etc. However, it says that I do not have permission to see the contents of the folders "com.apple.coresymbolicationd" or "com.apple.Spotlight".
 
Last edited:
  • Like
Reactions: 997440
maclad said:
I've cleared the cache in Safari, ie under the Develop menu I've clicked "Empty Caches", and in the Firefox preferences Advanced tab under "Cached Web Content" I've clicked "Clear Now", but I still get the "Safari can't verify the identity of the website etc" and Firefox still says my "Connection is not secure etc" :(

I've looked at Macintosh HD/Library/Caches and there appears to be 700 KB total, and apart from Epsom they are all named "com.apple." etc. However, it says that I do not have permission to see the contents of the folders "com.apple.coresymbolicationd" or "com.apple.Spotlight".
Click to expand...
I'm not sure what the issue is. You cleared caches, make sure you cleared the cookies to. If you didn't, do so and clear caches again. Make sure the date is correct on your computer. One way to check the validity of a cert is to check its fingerprint or thumbprint. This should get you by, assuming it matches as posted at hushmail, till you contact hushmail or you find a solution here or elsewhere.

Hushmail's "Be sure you're connecting to Hushmail" page -- https://help.hushmail.com/hc/en-us/articles/213267823-Be-sure-you-re-connecting-to-Hushmail

I'm not on a Mac. The instructions are for IE, but the cert fingerprint shouldn't be hard to find in Safari or Fx.
 
  • Like
Reactions: maclad
rshrugged said:
I'm not sure what the issue is. Make sure the date is correct on your computer. One way to check the validity of a cert is to check its fingerprint or thumbprint. This should get you by, assuming it matches as posted at hushmail, till you contact hushmail or you find a solution here or elsewhere.

Hushmail's "Be sure you're connecting to Hushmail" page -- https://help.hushmail.com/hc/en-us/articles/213267823-Be-sure-you-re-connecting-to-Hushmail

I'm not on a Mac. The instructions are for IE, but the cert fingerprint shouldn't be hard to find in Safari or Fx.
Click to expand...

Thanks but for any Hushmail link I get the dialogue box saying "Safari can't verify the identity of the website etc".

The date on my mac says Sunday 6 November 2016 and time of this edit is 3.05 am UK time.
 
maclad said:
Thanks but for any Hushmail link I get the dialogue box saying "Safari can't verify the identity of the website etc".

The date on my mac says Sunday 6 November 2016 and time of this edit is 3.05 am UK time.
Click to expand...
Doh...
Your connection to our website is confirmed by an Extended Validation SSL certificate owned by Hush Communications Canada, Inc.

If you see a certificate warning when accessing Hushmail, do not continue. Someone may be attempting to intercept your communications. However, the most likely cause of an invalid certificate warning is that the date is set incorrectly on your computer. If this is the case, please correct the date setting on your computer and then reload the Hushmail website.

To confirm that you are really connecting to Hushmail:

Note: These instructions are for customers using Microsoft Internet Explorer. If you are using other web browsing software, the steps will be very similar. The term thumbprint may be replaced with fingerprint.
  1. Navigate to https://www.hushmail.com/
  2. Click the padlock in your web browser's location bar.

    O1GdfyDzu15aOMR3gPvenQ9sL


  3. Click View certificates.

    ABZ7BCcyCGnBorD2iaanFv1Of


  4. Select the Details tab.

    Fingerprint.png


  5. Compare the Thumbprint to the following:
  6. d1 39 7a 56 66 1e 49 0b cd c5 7b 66 8b 61 5d af b4 4b 44 06
Click to expand...
 
  • Like
Reactions: maclad
https://help.hushmail.com/hc/en-us/articles/216514903

Problems connecting to Hushmail affecting OpenDNS customers

Hushmail
Today at 12:10
We're investigating reports that some customers are unable to connect to Hushmail due to a web browser security warning. At this time we believe that OpenDNS may have erroneously blocked its customers from viewing the Hushmail website.

If you are affected by this incident you might see one of the following errors messages in your web browser when you open the Hushmail website:

www.hushmail.com uses an invalid security certificate
Error code: SEC_ERROR_UNKNOWN_ISSUER
This domain is blocked due to a phishing threat

We do not recommend that you open a website if you see an error message about a phishing threat or invalid security certificate.

We will update this ticket as more information becomes available.

Update Sat. Nov. 5 2016, 9:08 AM Pacific Time: We have contacted OpenDNS for assistance in resolving this issue. In the meantime, customers affected by this incident can access Hushmail at https://www.hushmailbusiness.com/.
 
  • Like
Reactions: 997440 and maclad
This is usually an indication that a man-in-the-middle (MITM) attack is occurring. In simple terms, someone (or something, we’ll get to this in a moment) wants to intercept your encrypted communication with Hushmail. Since it doesn’t control the certificate for hushmail.com, it generates its own, hoping that you’ll accept it as valid. Once you’ve trusted this certificate, this person can decrypt your traffic, analyze it or modify it, re-encrypt it, and relay it to it Hushmail.

Your browser normally only trusts certificates issued from a set of trusted organizations, called Certificate Authorities (CAs). Your browser is telling you that the certificate you’re encountering is not issued by a trusted CA. It could be generated by anyone: someone sitting next to you in a café who’s also using the free wifi, the people who run the café, your school or organization, your ISP, the government, etc.

Not all cases of MITM attacks are malicious. The certificate here appears to be (although you have no guarantee that it is) generated by something called Cisco Umbrella. Cisco Umbrella appears to be a corporate security product that will MITM traffic it thinks is suspicious to better assess the risk [1]. Corporations and schools often will MITM users’ traffic to block content and stop the spread of malware over encrypted connections to the Internet. (However, most organizations with control over their users’ computers will add a custom CA, telling the browser to implicitly trust certificates from their firewall or security software, and thus bypassing certificate warnings.)

So, are you on a corporate or school network? Or, do you have Cisco’s AnyConnect VPN client installed?

[1] https://news.ycombinator.com/item?id=11765742

teidon said:
If you are sure that you are connecting to the right website (which you probably are because you are using a bookmark) you can just ignore the warning. You might want to contact Hushmail though and ask if they are aware of the issue. They might simply have forgotten to renew their certificate.
Click to expand...

This is not only wrong, but dangerous. When presented with an invalid certificate, you have no guarantee that you’re actually talking to who you think you’re talking to, even if the domain appears correct. You also have no guarantee that someone is not eavesdropping on your communications.

Furthermore, it doesn’t matter if you don’t enter your password during this time. Any eavesdropper can steal your cookie and impersonate you until that cookie expires (and you’d normally be required to login again).
 
  • Like
Reactions: 997440, Nermal and maclad
petisjioweelsha said:
https://help.hushmail.com/hc/en-us/articles/216514903

Problems connecting to Hushmail affecting OpenDNS customers

Hushmail
Today at 12:10
We're investigating reports that some customers are unable to connect to Hushmail due to a web browser security warning. At this time we believe that OpenDNS may have erroneously blocked its customers from viewing the Hushmail website.

If you are affected by this incident you might see one of the following errors messages in your web browser when you open the Hushmail website:

www.hushmail.com uses an invalid security certificate
Error code: SEC_ERROR_UNKNOWN_ISSUER
This domain is blocked due to a phishing threat

We do not recommend that you open a website if you see an error message about a phishing threat or invalid security certificate.

We will update this ticket as more information becomes available.

Update Sat. Nov. 5 2016, 9:08 AM Pacific Time: We have contacted OpenDNS for assistance in resolving this issue. In the meantime, customers affected by this incident can access Hushmail at https://www.hushmailbusiness.com/.
Click to expand...

Thanks very much petisjioweelsha.
 
petisjioweelsha said:
Problems connecting to Hushmail affecting OpenDNS customers
Click to expand...

Since this appears to be affecting OpenDNS users, one simple test is to set your Mac’s DNS servers to Google DNS, 8.8.8.8 (which you can verify is correct here: https://developers.google.com/speed/public-dns/). See here for instructions if you don’t know how to do this: http://osxdaily.com/2015/12/05/change-dns-server-settings-mac-os-x/.

If the problem still persists after this, you may need to flush your DNS cache, using the Terminal command "sudo dscacheutil -flushcache;sudo killall -HUP mDNSResponder" (in 10.11 and 10.12).
 
Last edited:
  • Like
Reactions: 997440
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back