Problems connecting to HTTPS websites on unsecured WiFi

I am on a MacBook Air running OSX 10.10.2. I try to connect to an HTTPS website on Firefox and I get the message

Your connection is not secure

The owner of www.google.co.il has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

When I click on advanced I see

www.google.co.il uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

When I try to open a non-HTTPS website it seems to work and when I connect to a WiFi with a password it everything works. I have tried clearing browser caches and clearing history, turning off and back on again and using chrome.

I used Safari and I was able to bypass the error but then it tells me "העמוד אליו הגעת חסום לגלישה!" which means "The page you reached is blocked for browsing!" but it doesn't say why.

I don't have access to the router but everyone else whose computer is connected to this WiFi seems to work just fine.


The certificate is not trusted because the issuer certificate is unknown.

Given the google host, it is not very likely that the host itself is the cause of the error.

It sounds like there may be a SSL proxy, or some other form of deep packet inspection on the network.

This may be a rogue agent, or a legitimate part of the corporate network.

The idea is simple enough, each client has a root certificate installed for which the private key is known by the router or proxy. The proxy then acts as a "man in the middle" and decrypts and re-encrypts data on the secured connections. This allows the proxy to do a deep inspection of then content to and from external sources, such as https sites.

Some may argue this is a bad thing, since the proxy (and possibly whoever has access to the proxy) can now see all the data that is thought by the user to be secured end to end. Some may argue it is a good thing since the corporate can inspect and verify, and protect itself against, data leaving and coming into the network before it reaches the end point.

The other users may not be experiencing the same symptoms as you if they already have the proxy certificate source installed as a trusted CA, but the deep packet inspection is still being done.

There are many resources in the internet covering this issue, here are some of the first hits covering this;

http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/

And

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

"The page you reached is blocked for browsing!"

Given the above possibilities, I would suspect a firewall (or the proxy) is blocking you as well.