OFTEN USED SITES ARE UNTRUSTED Topic is solved

[mipak]

sessh ...

they didn't ask me to make any changes in the browser, only to make sure that all 3 points were to be ticked.
i can't answer your second question.

[adesh]

That is what you shouldn't have done. Like others said your security is now compromised. What you have done now is that you have just "hidden" the untrusted warning (and the browser still cannot verify the original website certificate) and not eliminated the root problem.

Of course, AdGuard is a company and they'd want you to use their product so they can get money from you. That's why they would try to give you "solution".

[vannilla]

Breaking a lance in favour of AdGuard, they do promise to keep you safe, so even ignoring this whole certificate ordeal in theory you still have some security...
However, they shouldn't be doing this whole ordeal in the first place.
Analyzing the net traffic isn't the right way to do it, especially when the user agent already has plenty of security features built-in that gets broken by programs like AdGuard.

[mipak]

thank you both for your posts.

for the last few days now, i've come to the conclusion that, by their actions, it's very obvious i've become an unwitting customer and that really makes me very annoyed. with no ammunition except an email address with very little knowledge to put in it, i have no idea what to say or do.

is there an overseeing official body or group backed by the law or whatever, who could put pressure on them to force them to do the right thing and get their house in order? i don't really know why the company allowed the programme to become available for sale in the first place, without genuine certification incorporated in the programme.

[Sessh]

I've not had to mess around with certs ever, but I assume that this can be rectified by removing that cert that they had him install? With Adguard uninstalled, his original problem should be gone as well, correct? Is there an easy way to remove that cert and restore the browser's security?

[vannilla]

is there an overseeing official body or group backed by the law or whatever, who could put pressure on them to force them to do the right thing and get their house in order?

No, because they are not doing anything illegal.
What they are doing is giving you a choice: either you trust the program to keep you safe by checking your network traffic (the purpose of the certificate is to analyze it even when the traffic is encrypted by HTTPS) or you trust the web browser to keep you safe with whatever it provides out of the box (plus eventual extensions you installed.)
We could probably go on to discuss the methods they used to provide their services, but these services, including the incriminated certificate, are not illegal.
It seems that AdGuard has other features other than blocking ads, so maybe there's a way to use those without having to give them freedom to check all your traffic?

[Moonchild]

The way certificates work is like this:

You have a site certificate offered by a website you are visiting, which is issued by a Certificate Authority. (CA)
This site certificate is cryptographically (digitally) signed by the CA to indicate that it is authentic.
To verify this in the browser, the CA has its own certificate too, which in turn has to be signed by the authority that issued THAT certificate. (the chain) -- this may be happening one or more times, depending on the certificate.
This goes all the way up to so-called root certificates that are long-duration, known certificates that the internet community as a whole has decided are always trusted by everyone (they are built into the browser). This provides a "trust anchor" that all trust chains must lead up to for the browser to trust the site certificate.

What Adguard does is it tries to use a site certificate that is not issued by a trusted party (because no trusted party would ever sign a certificate valid for ALL domains, that would be bad practice). So instead they want to be "their own CA". This requires you to install the CA certificate in the browser and then to manually assign trust to it (which is what ticking the boxes does), so it doesn't have to rely on any trust anchor (-> since you manually indicate your explicit trust, it becomes its own trust anchor). This means you are telling the browser to trust any site certificate that is signed by the AdGuard CA, even if such a site certificate would be otherwise unacceptable for use on the internet. In turn, this will make the site certificate valid, and the browser won't complain when you are connecting through AdGuard to the Internet. So it practically "fixes the problem that the browser doesn't trust an insecure connection". It doesn't make the connection secure, it just solves the complaint by making it trust the situation.

However, that situation is inherently insecure; as I explained in my FAQ I linked to, it is a bad idea to go about it this way, because you only have knowledge of the connection to your AdGuard software that sits between you and the Internet in that case, and have no way at all to verify the connection between AdGuard and what you're visiting is secure.

[mipak]

many thanks for your very detailed description of how certificates work ... kept reading it many times.
will be saving the whole article in a safe & easily accessible folder as a memory reminder.

but i have to ask you a big favour ...
as far as i could see, there was no reference to any name or any hint as to the author's identification so it is primarily with this in mind, to ask if you would have any objection to my copying it and sending it in an email to adguard? have to say, it is so clear cut, it would be difficult for adguard not to agree. I'd be very interested to read their reply.

no way do i want to be responsible for compromising PM which i've worried about so as i okay'd the little window after ticking the 3 questions ... if i was able to delete that particular file ... have no idea of the name yet, would PM still be compromised?
if that failed, i am more than happy to shut down the pc, reboot and run a clean reinstall of w10 ... wouldn't take long and i'm very used to doing that anyway. after that, there shouldn't any left-over files and folders. would that help?

michael.

[Moonchild]

Feel free to copy any of my public posts as quotes in e-mail. I have no issue with that. you can always link back to the original posts on the forum too for reference if they need more context.

[vannilla]

no way do i want to be responsible for compromising PM which i've worried about so as i okay'd the little window after ticking the 3 questions ... if i was able to delete that particular file ... have no idea of the name yet, would PM still be compromised?

It depends on how this certificate was installed.
Unfortunately I don't know myself so I can't help with this...

after that, there shouldn't any left-over files and folders. would that help?

If you completely wipe and format the disk of course nothing will be there.
Unless someone actually manages to find a way to remove the certificate without wiping everything out, it's the safest way to go back to a clean state.
After that, it's up to you to decide wether it's worth using AdGuard or not. However, as a remainder, if the browser shows you a warning like you've seen when you opened this thread, maybe there is something not quite right going on.

A final note on extensions, the suggested eMatrix is actually pretty difficult to use. It requires actual technical knoweledge because it's aimed at people with that knoweledge. If all you need is an ad blocker with a few more features, you might want to use ABPrime, AdBlock Latitude or uBlock Origin, all of which can be found on https://addons.palemoon.org/extensions/

[mipak]

thank you ... will keep you posted ...

[Tharthan]

Since my parents can't be trusted to surf the Internet

Off-topic:
You make them sound like they are children. If they are so bad at Web browsing, I would figure that they would just visit the same sites over and over again. Why would they be particularly prone to getting viruses?

Off-topic:
The last AV I used was Avast and when I went to uninstall it, it wouldn't work. Not even their standalone uninstaller from their site worked. I had to use Revo to uninstall and went through the registry manually to remove every "Avast" entry I could find, delete all Avast files off my hard drive manually etc.. it worked, but what a pain.

Off-topic:
The name ought to have tipped you off: avast.

Originally from Dutch "hou vast"; "hold fast".

It unbudgingly held fast when you tried to remove it. But it was all in the name, so you cannot say that you weren't warned!

[moonbat]

no way do i want to be responsible for compromising PM which i've worried about so as i okay'd the little window after ticking the 3 questions ... if i was able to delete that particular file ... have no idea of the name yet, would PM still be compromised?

It depends on how this certificate was installed.
Unfortunately I don't know myself so I can't help with this...

Tool - Preferences - Advanced - Certificates tab - View certificates - Authorities. Search the list for the one Adguard has installed and delete it from there. Pale Moon's certificate store is separate from the one on the operating system.

[John connor]

Off-topic:
You make them sound like they are children. If they are so bad at Web browsing, I would figure that they would just visit the same sites over and over again. Why would they be particularly prone to getting viruses?

Off-topic:
Without writing a massive page about how you can come into contact with malware in very clever ways, etc which I could do, I'll just state that my parent's as well as many others never grew up in the age of computers and technology like we have now. In fact, when I was young and we had our very own first VCR (which was massive in size) I was the one to show them how to use it and stop the time from blinking 12:00 all the time. Even today I had to write a step by step guide I printed out on how to use the Blu-ray player and how to fix the sound bar should it stop working for the TV. To my surprise my mom was able to follow my steps and work the damn Blu-ray. My mom doesn't even know much about all the bells and whistles in her smartphone and often forgets what I tried to teach her about how to use a password from her Keepass safe App or other simple things. So being the "official IT guy" of the family I installed Team Viewer on her phone and computer and if she has issues I can remote in from one of my computer's or even my own phone and rectify the situation. You should know that there is a phrase called "granny proofing a computer." And there are many programs that can do that as well as group policy if you have the right version of Windows to do that. Home won't have it, but professional on up will. It's gpedit.msc

I'm not trying to sound like I'm disparaging my parents or anything, but they simply don't know about tech. My dad is even worse. He knows the basics and can search for things, but he has no idea how to bookmark a link. And I could show him all I want and it'll just go through one deaf ear out the other. It's a lost battle.

Now to your point about making them sound like children. I can attest to the fact that this is how you end up with age. My mom and sister work in a nursing home and when you are that old you in fact take on a child-like mentality. Some are always acting up, crying and caring on while others are sweethearts with a sense of wonder and seem to have forgotten the harshness that is this world we live in. At the same time a vast majority of them need their diaper changed, their butt wiped, etc like children. Don't believe me? Then remember what I wrote in the here and now and in 60 years time if you or all of us are still here and you find yourself in a nursing home then you'll know what I'm talking about. Chances are you won't remember. I'm willing to bet every state lottery on that.

Off-topic:
The name ought to have tipped you off: avast.

Originally from Dutch "hou vast"; "hold fast".

It unbudgingly held fast when you tried to remove it. But it was all in the name, so you cannot say that you weren't warned!

Off-topic:
This has become true for a lot of anti-virus software, not just Avast. They are over bloated with useless crap and integrated so well within your OS including the TCP/IP stack that they provide their own damn uninstaller so that their software (telemetry) is 100% removed.

I don't roll with any anti-virus software and largely depend on my good sense, Sandboxie, Virus Total scans, periodic disk clones and evey now and then a plethora of malware scanners. Nothing ever found. Not in this computer, my laptop, my netbook, my other laptop or my parent's computer. This idea that one absolutely needs an anti-virus software is in large part a fallacy. BUT! and that's a big BUT, I know of many ways that I can install a backdoor on your Comp. using powershell (Thanks Microsoft! and thank YOU for the SOAP, Samba and RDP.), images with a payload, etc. So you can be your own worst enemy and you just need to know how all this is done so that you can stay proactive. Education is key in the battle against being owned and tea bagged like a little shit in Call Of Duty.

[John connor]

Come to think of it, I unsubscribed from this mindless drivel. Oh! I was quoted! What a PITA.

[Moonchild]

Off-topic:

Come to think of it, I unsubscribed from this mindless drivel. Oh! I was quoted! What a PITA.

Nobody says you have to respond with a screen-filling off-topic blurb of drivel of your own.

PS: tell your dad to click the damn 🌟

[Tharthan]

Off-topic:
My mom doesn't even know much about all the bells and whistles in her smartphone and often forgets what I tried to teach her about how to use a password from her Keepass safe App or other simple things. So being the "official IT guy" of the family I installed Team Viewer on her phone and computer and if she has issues I can remote in from one of my computer's or even my own phone and rectify the situation.

Off-topic:
I'm surprised that you didn't suggest that she just stick with a flip phone. It's not like those are unobtainable. I'd reckon that that would be less of a hassle for you, no?

Off-topic:
Don't believe me? Then remember what I wrote in the here and now and in 60 years time if [...] you find yourself in a nursing home then you'll know what I'm talking about. Chances are you won't remember. I'm willing to bet every state lottery on that.

Off-topic:
I'm really hoping that I don't end up in a nursing home, so let us hope that it never gets to the point where I would even be in a situation where I would reflect on that, unhappily.

[mipak]

hi ...

had an email from adguard which reads as follows:
==========
"Starting with v68, under certain conditions Firefox-based browsers normally trust certificates from the system storage. However, sometimes for reasons outside of our control the trust mechanism faults, which leads to the "Connection is untrusted" error or filtering issues.
To fix it, it's necessary to download AdGuard certificate and install it to Firefox's local storage manually (or PaleMoon in your case). i'm guessing that that needs to come from adguard ... will email them again.

As far as we understand, you are concerned about your data security while using AdGuard's CA certificate. This certificate is used for HTTPS-filtering. HTTPS is a secured protocol so if you need to filter its traffic through a local VPN that our program establishes ("local VPN" means that your traffic is not routed through any external servers but gets filtered right within your own device), you need to use this type of certificate.

All HTTPS-filtering issues are properly described in our KB article here:
https://kb.adguard.com/en/general/https ... own-issues.

Besides, you can find our Privacy Policy which implies our principles in terms of users' data security: https://adguard.com/en/privacy.html."
==========
the made no further mention of my last one to them!!

michael.

[Moonchild]

DISABLE HTTPS FILTERING IN ADGUARD.
It's a bad idea, no matter if they use a "local vpn" or whatever else is used to intercept traffic (see my FAQ mentioned before as to why). It inherently breaks the browser's ability to have a secure -- encrypted and authenticated -- channel to the server you are connecting to. Https is not just about encryption; it's about encryption and authentication. Just "encrypted" isn't the same as "secure" and people using the two terms interchangeably are in need of some security 101 lessons.

[mipak]

many thanks for that ...
will let you know their reply but i suspect they're digging themselves in or trying to.

my last email to them was this afternoon and i'm not holding out much hope for a sensible/realistic reply.

will keep in touch.

michael.