Forum Discussion

MikeGl1963's avatar
MikeGl1963
Brass Contributor
May 17, 2022

Your connection isn't private on edge after hardening plus no home page

Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important th...
microsoft edge
security baseline
security compliance toolkit
kevin7461's avatar
kevin7461
Copper Contributor
May 18, 2022
“ERR_CERT_NO_REVOCATION_MECHANISM” means the certificate has no revocation mechanism, I.e., no CRL or OCSP reference.
I can imagine some CAs issue short-lived certificates and thus provide no means to revoke them. Letsencrypt would be an obvious example, but they *do* provide revocation means via OCSP.
Google, too, issues short-lived (3 months long) certificates for http://www.google.com but they, too, provide OCSP and CRL in their certificates, at least, for me.

Could it be you are using some middle box (e.g., PaloAlto Networks or Cisco firewall) on your network or antivirus on your computer that does https interception and substitutes certificate with their own? To confirm that, can you view the certificate you get and check if it’s really Google’s? Google certificate is issued by GTS CA which is issued by GTS Root R1. You can inspect real certificates via https://www.ssllabs.com/ssltest/
  • MikeGl1963's avatar
    MikeGl1963
    Brass Contributor
    May 18, 2022

    kevin7461 

     

    Based on what you said, I looked over my parameters and found the following setting:

     

    "Specify if online OCSP/CRL checks are required for local trust anchors" Which we had set to Enabled. As per the explanation "If Microsoft Edge can't get revocation status information, these certificates are treated as revoked ("hard-fail")." The moment I set this back to Not Configured, everything started working again.

     

    So thank you for your excellent assistance.

     

    Since I can't mark two posts as Best Response, and since I got the help I needed from you and from mikhailf I hope you will both accept my thanks alone in this.

     

    Mike Glassman

  • MikeGl1963's avatar
    MikeGl1963
    Brass Contributor
    May 18, 2022

    kevin7461 

     

    Hi Kevin,

    So I did as you suggested and looked at the certificate, and indeed, it seems as though our systems are generating a new certificate for http://www.google.com (See attached picture).

    What is odd to me is why I do not see this problem with the Chrome browser or Firefox, but only on the Edge, and I am pretty sure it has to do with one of the settings we have set, I just don't for the life of me know which one.

    We are currently using a proxy from Broadcom (to be replaced in a few months) from Symantec.

    Any pointers as to what setting may be causing this issue on Edge only ?

    We have hardened the Chrome as well as a side note.

    Thanks for the help so far,

    Mike

Resources