Safari can't verify the identity of the website "www.hushmail.com", advice please?

Discussion in 'Mac Basics and Help' started by maclad, Nov 5, 2016.

  1. maclad macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #1
    Today when I use by bookmark for Hushmail, Safari says 'Safari can't verify the identity of the website "www.hushmail.com" ' When I click on "Show Certificate" it says "Issued by: Cisco Umbrella Secondary SubCA Ion-SG" Expires: 8 November 2016 etc" and in red "This certificate was signed by an untrusted issuer". My problem is that if this is site is pretending to be Hushmail, and I do nothing for a few days, I am due to give them my password to access my account in a few days time. Note, I get access for a week at a time before having to give my password. Any advice will be gratefully received.

    I use hushmail as I can use unlimited alias email addresses and if I get too much spam or a dodgy email, I can delete that alias.
     
  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
    I'm not getting that message from your link on Safari under Sierra.

    I have seen similar messages on other sites I frequent though, so I think something is up with these certificates. I don't think it is anything evil necessarily, buy maybe a configuration issue somewhere.
     
  3. maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #3
    Thanks Weaselboy.

    I just tried Firefox typing in the address myself, and it says says:-

    "Your connection is not secure

    The owner of www.hushmail.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."
     
  4. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #4
    Hmmm... odd. I wonder if it is something with your ISP. I can get to the HTTPS version in Safari and Chrome both with no issue.

    Screen Shot 2016-11-05 at 12.17.31 PM.png Screen Shot 2016-11-05 at 12.17.19 PM.png
     
  5. maclad, Nov 5, 2016
    Last edited: Nov 5, 2016

    maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #5
    Thanks, but at the bottom right of your image, it says "Safari can't verify the identity of the webs"

    If in Safari, I clicked continue, I assume that I could go onto the website, but am reluctant to do so.
     
  6. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #6
    What you are seeing there is the tab with this thread and your thread title displayed in the tab. :)
     
  7. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
  8. maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #8
  9. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #9
    Curious. Did you try the link at the bottom of the page I linked to?
     
  10. maclad, Nov 5, 2016
    Last edited: Nov 5, 2016

    maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #10
  11. vlug macrumors 6502

    Joined:
    Jul 18, 2009
    #11
    WOW hushmail still exists! damn I wonder if my account from like 1999 still works lol.
     
  12. maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #12
    If it was a free account you have to access the account every so often, a week or a month etc, otherwise they close it. I pay for my account and hence get unlimited alias email addresses.
     
  13. teidon macrumors 6502

    teidon

    Joined:
    Dec 22, 2009
    #13
    If you are sure that you are connecting to the right website (which you probably are because you are using a bookmark) you can just ignore the warning. You might want to contact Hushmail though and ask if they are aware of the issue. They might simply have forgotten to renew their certificate.
     
  14. maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #14
    Yes Mr G00GLE gives what is supposed to be a free phone number, 1 (877) 533-4874, but it says it is only available on weekdays pacific time.
     
  15. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #15
    Sorry to bug-out on you. I got an unexpected visitor.

    Just quickly -- in your first post you say "Issued by: Cisco Umbrella Secondary SubCA Ion-SG" Expires: 8 November 2016 etc"

    Mine says -- Issued by thawte... expires Oct 2017

    Sounds as if you have some type of cache issue going on. They must have renewed their Cert. Try clearing your caches. Have to run.
     
  16. maclad, Nov 5, 2016
    Last edited: Nov 5, 2016

    maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #16
    I've cleared the cache in Safari, ie under the Develop menu I've clicked "Empty Caches", and in the Firefox preferences Advanced tab under "Cached Web Content" I've clicked "Clear Now", but I still get the "Safari can't verify the identity of the website etc" and Firefox still says my "Connection is not secure etc" :(

    I've looked at Macintosh HD/Library/Caches and there appears to be 700 KB total in 11 items, and apart from Epsom they are all named "com.apple." etc. However, it says that I do not have permission to see the contents of the folders "com.apple.coresymbolicationd" or "com.apple.Spotlight".
     
  17. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #17
    I'm not sure what the issue is. You cleared caches, make sure you cleared the cookies to. If you didn't, do so and clear caches again. Make sure the date is correct on your computer. One way to check the validity of a cert is to check its fingerprint or thumbprint. This should get you by, assuming it matches as posted at hushmail, till you contact hushmail or you find a solution here or elsewhere.

    Hushmail's "Be sure you're connecting to Hushmail" page -- https://help.hushmail.com/hc/en-us/articles/213267823-Be-sure-you-re-connecting-to-Hushmail

    I'm not on a Mac. The instructions are for IE, but the cert fingerprint shouldn't be hard to find in Safari or Fx.
     
  18. maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #18
    Thanks but for any Hushmail link I get the dialogue box saying "Safari can't verify the identity of the website etc".

    The date on my mac says Sunday 6 November 2016 and time of this edit is 3.05 am UK time.
     
  19. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #19
    Doh...
     
  20. petisjioweelsha macrumors member

    Joined:
    Nov 7, 2011
    Location:
    USA
    #20
    https://help.hushmail.com/hc/en-us/articles/216514903

    Problems connecting to Hushmail affecting OpenDNS customers

    Hushmail
    Today at 12:10
    We're investigating reports that some customers are unable to connect to Hushmail due to a web browser security warning. At this time we believe that OpenDNS may have erroneously blocked its customers from viewing the Hushmail website.

    If you are affected by this incident you might see one of the following errors messages in your web browser when you open the Hushmail website:

    www.hushmail.com uses an invalid security certificate
    Error code: SEC_ERROR_UNKNOWN_ISSUER
    This domain is blocked due to a phishing threat

    We do not recommend that you open a website if you see an error message about a phishing threat or invalid security certificate.

    We will update this ticket as more information becomes available.

    Update Sat. Nov. 5 2016, 9:08 AM Pacific Time: We have contacted OpenDNS for assistance in resolving this issue. In the meantime, customers affected by this incident can access Hushmail at https://www.hushmailbusiness.com/.
     
  21. Furrybeagle macrumors 6502

    Furrybeagle

    Joined:
    Sep 13, 2004
    #21
    This is usually an indication that a man-in-the-middle (MITM) attack is occurring. In simple terms, someone (or something, we’ll get to this in a moment) wants to intercept your encrypted communication with Hushmail. Since it doesn’t control the certificate for hushmail.com, it generates its own, hoping that you’ll accept it as valid. Once you’ve trusted this certificate, this person can decrypt your traffic, analyze it or modify it, re-encrypt it, and relay it to it Hushmail.

    Your browser normally only trusts certificates issued from a set of trusted organizations, called Certificate Authorities (CAs). Your browser is telling you that the certificate you’re encountering is not issued by a trusted CA. It could be generated by anyone: someone sitting next to you in a café who’s also using the free wifi, the people who run the café, your school or organization, your ISP, the government, etc.

    Not all cases of MITM attacks are malicious. The certificate here appears to be (although you have no guarantee that it is) generated by something called Cisco Umbrella. Cisco Umbrella appears to be a corporate security product that will MITM traffic it thinks is suspicious to better assess the risk [1]. Corporations and schools often will MITM users’ traffic to block content and stop the spread of malware over encrypted connections to the Internet. (However, most organizations with control over their users’ computers will add a custom CA, telling the browser to implicitly trust certificates from their firewall or security software, and thus bypassing certificate warnings.)

    So, are you on a corporate or school network? Or, do you have Cisco’s AnyConnect VPN client installed?

    [1] https://news.ycombinator.com/item?id=11765742

    This is not only wrong, but dangerous. When presented with an invalid certificate, you have no guarantee that you’re actually talking to who you think you’re talking to, even if the domain appears correct. You also have no guarantee that someone is not eavesdropping on your communications.

    Furthermore, it doesn’t matter if you don’t enter your password during this time. Any eavesdropper can steal your cookie and impersonate you until that cookie expires (and you’d normally be required to login again).
     
  22. maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #22
    Thanks very much petisjioweelsha.
     
  23. petisjioweelsha macrumors member

    Joined:
    Nov 7, 2011
    Location:
    USA
    #23
  24. Furrybeagle macrumors 6502

    Furrybeagle

    Joined:
    Sep 13, 2004
    #24
    Since this appears to be affecting OpenDNS users, one simple test is to set your Mac’s DNS servers to Google DNS, 8.8.8.8 (which you can verify is correct here: https://developers.google.com/speed/public-dns/). See here for instructions if you don’t know how to do this: http://osxdaily.com/2015/12/05/change-dns-server-settings-mac-os-x/.

    If the problem still persists after this, you may need to flush your DNS cache, using the Terminal command "sudo dscacheutil -flushcache;sudo killall -HUP mDNSResponder" (in 10.11 and 10.12).
     
  25. maclad, Nov 5, 2016
    Last edited: Nov 5, 2016

    maclad thread starter macrumors newbie

    Joined:
    Nov 5, 2016
    Location:
    UK
    #25

Share This Page