Arch Linux

gajjanag

Member

From: Cambridge, MA

Registered: 2015-05-10

Posts: 17

Website

[solved] Can't access torproject.org

Hi,

I am unable to access torproject.org in either Chromium or Firefox.

Error message in Firefox:
The owner of torproject.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

torproject.org uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

Error message in Chromium:
Attackers might be trying to steal your information from torproject.org (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
torproject.org normally uses encryption to protect your information. When Chromium tried to connect to torproject.org this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be torproject.org, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chromium stopped the connection before any data was exchanged.

You cannot visit torproject.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Recent hacker news comment: https://news.ycombinator.com/item?id=13309795
suggests that this is not an isolated occurence.

I have had this issue for a while, but unfortunately can't pinpoint it to a particular package upgrade/change on my system.

Any ideas?

Thanks.

Last edited by gajjanag (2017-01-03 19:13:14)

---

"Behind every theorem lies an inequality" - A N Kolmogorov

WorMzy

Administrator

From: Scotland

Registered: 2010-06-16

Posts: 12,395

Website

Re: [solved] Can't access torproject.org

Please post the output of

curl -Iv https://www.torproject.org
timedatectl

---

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

gajjanag

Member

From: Cambridge, MA

Registered: 2015-05-10

Posts: 17

Website

Re: [solved] Can't access torproject.org

/tmp> curl -Iv https://www.torproject.org
* Rebuilt URL to: https://www.torproject.org/
*   Trying 146.112.61.106...
* TCP_NODELAY set
* Connected to www.torproject.org (146.112.61.106) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Curl_http_done: called premature == 1
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

/tmp> timedatectl
      Local time: Tue 2017-01-03 10:08:17 PST
  Universal time: Tue 2017-01-03 18:08:17 UTC
        RTC time: Tue 2017-01-03 18:08:17
       Time zone: America/Los_Angeles (PST, -0800)
Network time on: no
NTP synchronized: no
RTC in local TZ: no

---

"Behind every theorem lies an inequality" - A N Kolmogorov

summit69

Member

Registered: 2016-12-13

Posts: 12

Re: [solved] Can't access torproject.org

I think there's something wrong with your root certificates. Do you also see that error on other https* websites?

WorMzy

Administrator

From: Scotland

Registered: 2010-06-16

Posts: 12,395

Website

Re: [solved] Can't access torproject.org

I'm not an expert in these matters, but it looks like your DNS is incorrectly configured, or something (e.g. parental controls?) is blocking access to that URL. The url is resolving as an opendns IP, rather than an torproject IP.

$ nslookup 146.112.61.106
106.61.112.146.in-addr.arpa	name = hit-adult.opendns.com.

Authoritative answers can be found from:
61.112.146.in-addr.ARPA	nameserver = auth1.opendns.com.
61.112.146.in-addr.ARPA	nameserver = auth2.opendns.com.
auth1.opendns.com	internet address = 208.69.39.2
auth2.opendns.com	internet address = 146.112.60.53

EDIT: See https://support.opendns.com/hc/en-us/ar … -Addresses-

Last edited by WorMzy (2017-01-03 18:34:53)

---

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

gajjanag

Member

From: Cambridge, MA

Registered: 2015-05-10

Posts: 17

Website

Re: [solved] Can't access torproject.org

@WorMzy: yes, that was the culprit.
I had been experimenting with alternative DNS providers.

Thanks a lot!

---

"Behind every theorem lies an inequality" - A N Kolmogorov