Author Topic: Buffalonas blocked by browser for an untrusted certificate  (Read 733 times)

marco3253

  • Calf
  • *
  • Posts: 9
Buffalonas blocked by browser for an untrusted certificate
« on: January 11, 2019, 06:22:39 am »
Hi guys, this is pretty new to me.
I have two customers, both got a Buffalo Station Link Duo (don't think the version are pretty the same cause i bought them 3 years distance each other)
Anyway on the last customer i can't get the remote browsing work.

The port on the router are correct, prove of this is the app on the iPhone working (from another internet source, not lan).
But when i connect to buffalonas.com and type the ID i choose, the browser tells me that "the connection is not in a private modality" (i'm translating the message as in italian appears into the browser.
and also: "the website can assume the identity of xx.xx.xx.xx (ip address) to catch personal or financial informations bla bla bla"
there is nothing i can do to say "ok trust this" just i can go back to the buffalonas.com page.

The strange thing is that the first customer, with an older version of the station, is perfectly working from the same browser...

So what's happening, there is something wrong with this new NAS ?

Thank you

1000001101000

  • Debian Wizard
  • Buffalo
  • ***
  • Posts: 215
  • There's no problem so bad you cannot make it worse
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #1 on: January 11, 2019, 06:50:49 am »
Take a look at the certificate thatís being regected, it should tell you a lot. If the cert is expired, using an outdated hash like sha1, or is from an untrusted issuer you should be able to see whatís going on and work from there.

Texturtle

  • Administrator
  • *****
  • Posts: 765
  • RAID is NOT a substitute for a good backup
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #2 on: January 11, 2019, 08:57:06 am »
The most likely thing is that the customer with no errors is not using HTTPS. Every Buffalo NAS has a certificate pre-installed, but it's self-signed by Buffalo and therefore will never be considered a "trusted" certificate by any browser.

The reason is that a self-signed cert can't be verified to belong to the assumed owner of the site. Data transfers are still encrypted, and as long you know for sure you're connecting to the correct site it's still technically secure, but every browser will tell you it isn't.

The only way to correct that is to install a valid certificate.

marco3253

  • Calf
  • *
  • Posts: 9
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #3 on: January 21, 2019, 07:07:46 am »
Hi Guys and thank you for the answers.
I didn't forget to reply to you, i was just taking some days to make some tests.

I guess the certificate should be released from buffalonas.com website, because it's the website where i'm connecting to, then there is the redirect. Anyway, i tried but there is no "https" at the beginning of the string.
This is a video of what's happening. The first working is relative to the customer1, installed 3 years ago still working with no problem.
The customer 2 as you can see i'm unable to connect, also with different browsers.
The configuration on the router is correct, the prove of this is that the APP on the iPhone is working.

What should I do?

Here's the video on youtube: https://youtu.be/qeFyIFGyGsg

Texturtle

  • Administrator
  • *****
  • Posts: 765
  • RAID is NOT a substitute for a good backup
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #4 on: January 21, 2019, 08:59:43 am »
It would appear that the second browser is set to not allow HTTP connections, only HTTPS.

marco3253

  • Calf
  • *
  • Posts: 9
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #5 on: January 22, 2019, 02:43:55 am »
It would appear that the second browser is set to not allow HTTP connections, only HTTPS.

They're not different browsers, it's Safari on a Macbook. I tried also with Chrome but the results are the same.
What change from first test to the second one it's the customer (different NAS different Router different ISP).
On the App for iPhone it's working, so it's something related to http connections, maybe the App talks on another port.

There is not official support for this? The NAS is new.

marco3253

  • Calf
  • *
  • Posts: 9
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #6 on: January 31, 2019, 10:20:49 am »
Come on guys, i really don't know what to do.


1000001101000

  • Debian Wizard
  • Buffalo
  • ***
  • Posts: 215
  • There's no problem so bad you cannot make it worse
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #7 on: January 31, 2019, 12:35:45 pm »
Finally watched your video.

My italian isnít great but it appears to day itís blocking because of the outdated hash algorithm (see my previous comment). When you expand the details it shows that the cert uses MD5. That appears to be the issue, at least from the browserís point of view.

marco3253

  • Calf
  • *
  • Posts: 9
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #8 on: February 07, 2019, 04:49:46 am »
Finally watched your video.

My italian isnít great but it appears to day itís blocking because of the outdated hash algorithm (see my previous comment). When you expand the details it shows that the cert uses MD5. That appears to be the issue, at least from the browserís point of view.

yeah ok to ALL, but what should I do? the certificate is given by the buffalo website itself, not from the NAS, so i think i'm not in charge to do anything with that, am I wrong?

Texturtle

  • Administrator
  • *****
  • Posts: 765
  • RAID is NOT a substitute for a good backup
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #9 on: February 07, 2019, 09:48:32 am »
Actually that certificate is on the NAS. Clearly the browser can get to buffalonas.com, it errors out when attempting to access the actual webaccess name, which redirects to the NAS.

You'll need to add an exception for that site to the browser to allow access to that site.

The reason that the browser won't trust a self-signed certificate is because that means you could be going to a "fake" website. Since you know that this site is what it claims to be (the NAS you have set up for webaccess) there's no risk in adding the exception.

How to do that will vary by browser.

marco3253

  • Calf
  • *
  • Posts: 9
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #10 on: February 26, 2019, 02:00:46 am »
Thank you for your answer.

As explained here: https://tosbourn.com/getting-os-x-to-trust-self-signed-ssl-certificates/
you can add an exception, but you need to access to the certificate file. I don't think this file is stored into the NAS, i mean, yes it is but I don't think is accessible.


Texturtle

  • Administrator
  • *****
  • Posts: 765
  • RAID is NOT a substitute for a good backup
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #11 on: February 26, 2019, 09:51:37 am »
This appears to be instructions to install a self signed cert on an OS-X system. You don't necessarily need the OS to trust it, you need Safari to trust it. Alternatively, you could install a different browser on the system.

marco3253

  • Calf
  • *
  • Posts: 9
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #12 on: June 10, 2019, 04:17:24 pm »
I guess we are not catching the right point of view. Why should i reach a website only if there is a certificate installed on it? i can access various websites without https, and they work!
So why this NAS is giving me this problems, and another one is not?

1000001101000

  • Debian Wizard
  • Buffalo
  • ***
  • Posts: 215
  • There's no problem so bad you cannot make it worse
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #13 on: June 10, 2019, 05:20:43 pm »
Basically the same technology that ensures youíre really connecting to paypal and not a fake site hosted by a scammer on the same wifi as you. Itís the authenticate part of authenticate and encrypt.

Hereís a good resource for understanding the underlying tech:
https://www.websecurity.symantec.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/whitepaper/beginners-guide-to-SSL-certificates_WP.pdf

Back when this service was created browsers/OS were less aggressive about enforcing un-authenticated encryption than they are now. Unfortunately fully fixing the issue requires doing things buffalo canít do for you (getting a domain name and an ssl cert from certificate authority). 

marco3253

  • Calf
  • *
  • Posts: 9
Re: Buffalonas blocked by browser for an untrusted certificate
« Reply #14 on: June 11, 2019, 04:25:03 am »
this is crazy, the other working buffalo is 3 years older than this! this was bought just 1 year ago.