Forum Discussion
MikeGl1963
May 17, 2022Brass Contributor
Your connection isn't private on edge after hardening plus no home page
Hi, We are in the process of setting up a policy for organizational users using Edge and GPO. We have had a few hickups, two of which I would be happy for assistance with fixing. It's important th...
kevin7461
May 18, 2022Copper Contributor
“ERR_CERT_NO_REVOCATION_MECHANISM” means the certificate has no revocation mechanism, I.e., no CRL or OCSP reference.
I can imagine some CAs issue short-lived certificates and thus provide no means to revoke them. Letsencrypt would be an obvious example, but they *do* provide revocation means via OCSP.
Google, too, issues short-lived (3 months long) certificates for http://www.google.com but they, too, provide OCSP and CRL in their certificates, at least, for me.
Could it be you are using some middle box (e.g., PaloAlto Networks or Cisco firewall) on your network or antivirus on your computer that does https interception and substitutes certificate with their own? To confirm that, can you view the certificate you get and check if it’s really Google’s? Google certificate is issued by GTS CA which is issued by GTS Root R1. You can inspect real certificates via https://www.ssllabs.com/ssltest/
I can imagine some CAs issue short-lived certificates and thus provide no means to revoke them. Letsencrypt would be an obvious example, but they *do* provide revocation means via OCSP.
Google, too, issues short-lived (3 months long) certificates for http://www.google.com but they, too, provide OCSP and CRL in their certificates, at least, for me.
Could it be you are using some middle box (e.g., PaloAlto Networks or Cisco firewall) on your network or antivirus on your computer that does https interception and substitutes certificate with their own? To confirm that, can you view the certificate you get and check if it’s really Google’s? Google certificate is issued by GTS CA which is issued by GTS Root R1. You can inspect real certificates via https://www.ssllabs.com/ssltest/
MikeGl1963
May 18, 2022Brass Contributor
Hi Kevin,
So I did as you suggested and looked at the certificate, and indeed, it seems as though our systems are generating a new certificate for http://www.google.com (See attached picture).
What is odd to me is why I do not see this problem with the Chrome browser or Firefox, but only on the Edge, and I am pretty sure it has to do with one of the settings we have set, I just don't for the life of me know which one.
We are currently using a proxy from Broadcom (to be replaced in a few months) from Symantec.
Any pointers as to what setting may be causing this issue on Edge only ?
We have hardened the Chrome as well as a side note.
Thanks for the help so far,
Mike