Kaspersky Error "Cannot guarantee authenticity of the domain"
-
Hello everyone,
I'm encountering an issue with Kaspersky on my laptop. I keep receiving the error "cannot guarantee authenticity of the domain to which encrypted connection is established" every time I use Google Chrome to visit any site. This problem occurs with Chrome, not with Firefox.
Here is my setup:
- On my pfSense, I have both pfBlockerNG and Snort installed.
- I've tried various configurations but haven't been able to resolve the issue.
- I would prefer not to disable any functionalities of my antivirus because I also use my laptop on other networks.
Additionally, Kaspersky is unable to verify its license because I have blocked geographical connections from Russia. I have already added the necessary links to the whitelist, but it still isn't working.
Does anyone have any advice or solutions for these problems?
Thank you in advance!
-
@Aadrem 1) since you mention "to Russia" where are you? The US has cut off Kaspersky a/v I think sometime next month.
- are you reaching a pfBlocker DNSBL block page? That will always see the self-signed certificate on pfSense itself, hence the warning from the browser and/or a/v.
-
@SteveITS said in Kaspersky Error "Cannot guarantee authenticity of the domain":
-
since you mention "to Russia" where are you? The US has cut off Kaspersky a/v I think sometime next month.
are you reaching a pfBlocker DNSBL block page? That will always see the self-signed certificate on pfSense itself, hence the warning from the browser and/or a/v.
Thank you for your response.
I'm located in Europe, and no, I am not being redirected to the pfBlocker DNSBL block page. The error occurs directly in Google Chrome whenever I try to visit any site. Kaspersky displays the error message "cannot guarantee authenticity of the domain to which encrypted connection is established," and I have to respond to this error message; otherwise, Kaspersky blocks all active connections.
We are considering migrating to a different antivirus solution, but in the meantime, we would like to resolve this issue.
Do you have any further suggestions?
Thank you in advance!
-
-
@Aadrem and what are the details of that cert - I assume its kaspersky doing its mitm and presenting you with a cert signed by its CA.. Which your browser would have to trust.. Look at the details of the cert once you allow the traffic - what does it show?
For example here are the details of the cert for the netgate forum.
-
@Aadrem Agree, check the cert it is seeing. Bitdefender for example will also MITM for HTTPS traffic, and installs their own CA on each PC so the cert is "valid." (Firefox shows a small warning that Firefox doesn't recognize the CA).
-
Thank you for your messages.
This is the certificate. It seems to be a certificate generated by pfSense. I have also tried installing the root CA in the "Trusted Root Certification Authorities" folder in Windows. As a result, the certificate error itself no longer appears, but Kaspersky continues to flag the issue. Interestingly, Chrome doesn't show any specific error; it's only Kaspersky that is reporting this.
-
@Aadrem said in Kaspersky Error "Cannot guarantee authenticity of the domain":
This is the certificate. It seems to be a certificate generated by pfSense
It seems ?
I'm pretty sure you know who this is :
Its the certificate the pfBlockerng web server uses to show you the page that tells you your browser was visiting 'some site' (it was stats.g.doubleclick.net) and that your browser, as it was using 'https', wanted to get a certificate that says "I am "stats.g.doubleclick.net").
Let this sink in slowly : THIS is what "https" is all about.No need to tell you that you can't get a certicate that says "I am "stats.g.doubleclick.net") so pfBlockerng can use that cert so your browser dosn't flag the error.
You can't get a cert for microsoft.com, or google.com, etc neither.And now I know what you think : "But wait, in that case showing a browser that he visited a blocked web site (DNSBL), that can't work ?!" ..... And you are correct.
IMHO : switch off that functionality, just block the page, do a "Null blocking (logging)" which silently blocks :
That "show the user a page in his web browser that the URL he wanted to visit is blocked" works well with http web sites, as these can get redirected elsewhere.
https can not be redirected. Not for me, not for you, for nobody. If it could, Internet, as we now it, would become useless .... -
@Gertjan said in Kaspersky Error "Cannot guarantee authenticity of the domain":
@Aadrem said in Kaspersky Error "Cannot guarantee authenticity of the domain":
This is the certificate. It seems to be a certificate generated by pfSense
It seems ?
I'm pretty sure you know who this is :
Its the certificate the pfBlockerng web server uses to show you the page that tells you your browser was visiting 'some site' (it was stats.g.doubleclick.net) and that your browser, as it was using 'https', wanted to get a certificate that says "I am "stats.g.doubleclick.net").
Let this sink in slowly : THIS is what "https" is all about.No need to tell you that you can't get a certicate that says "I am "stats.g.doubleclick.net") so pfBlockerng can use that cert so your browser dosn't flag the error.
You can't get a cert for microsoft.com, or google.com, etc neither.And now I know what you think : "But wait, in that case showing a browser that he visited a blocked web site (DNSBL), that can't work ?!" ..... And you are correct.
IMHO : switch off that functionality, just block the page, do a "Null blocking (logging)" which silently blocks :That "show the user a page in his web browser that the URL he wanted to visit is blocked" works well with http web sites, as these can get redirected elsewhere.
https can not be redirected. Not for me, not for you, for nobody. If it could, Internet, as we now it, would become useless ....Thank you so much for the detailed explanation. The issue is finally resolved! I was so focused on more complex possibilities that I missed the detail about the redirect. I really appreciate your help.
-
@Aadrem
Hi, I'm having the same problem with Kaspersky, how did you solve the problem? -
@mikekoke You should just set Null Block in the DNSBL Groups Summary section.
As @gertjan clearly explained, HTTPS traffic cannot be intercepted and redirected like HTTP.
This means showing a block page when accessing a blocked HTTPS domain (like stats.g.doubleclick.net) wonβt work β your browser will flag a certificate error, because pfBlockerNG cannot present a valid certificate for those domains.
οΈ The recommended solution is to switch to Null blocking (logging), which silently blocks access without trying to show a redirect page.
This way, users wonβt see certificate errors, and the block is still effective.Let me know if you need help finding where to set this.
