1

I've been trying to access the website of youtube but it keeps denying permission. It says Incorrect certificate for host.

The server presented a certificate that doesn't match built-in expectations. These expectations are included for certain, high-security websites in order to protect you. Error 150 (net::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN): The server's certificate appears to be a forgery.

What do i do?

user63415
  • 11
  • 1
  • 1
  • 2
  • are you using Chrome? – schroeder Dec 13 '14 at 00:56
  • 1
    Have you tried connecting from elsewhere, or from a different computer in the same network? When you do try, do you get the same (invalid) cert? – atk Dec 13 '14 at 04:59
  • 1
    See the explanation of PKP in http://security.stackexchange.com/questions/29988/what-is-certificate-pinning – DTK Dec 13 '14 at 14:54
  • Where are you when trying to access the site? What state/country, and who provides the network connectivity? –  Dec 13 '14 at 23:30

2 Answers2

6

... ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN)

This error is due to a certificate provided by a peer not matching the expected certificate. This is probably due to SSL interception by some middlebox (firewall) or an attacker, which does a man-in-the-middle attack to intercept and decrypt the traffic to the server and re-encrypt it to the client. Since it does not have the private key of the original certificate it needs to use a different certificate for the connection to the client.

Mostly certificates are only checked by building a trusted path to any of the trust anchors (root certificates) built into the browser or OS and by checking that the name of the target matches the names in the certificate. But for important certificates modern browsers have hard coded the expected public key from the certificate. This technique is called Certificate and Public Key Pinning. This way a browser can detect SSL interception, even if a trusted CA certificate is used to re-sign the original certificate.

SSL interception might be used for legal and illegal reasons:

  • If you are inside a company you work for or in some similar setup, then they might be using SSL interception for security reasons, like scanning encrypted traffic for malware. If this is the case you should contact your system administrator on how to setup your browser to accept the generated certificates from the interception device.

  • If you are at home and getting this error somebody might be tampering with the network, maybe by hijacking your router as done in this case. In this case you need to cleanup your network.

  • If you are at some public hotspot, hotel or similar setup and other requests to web sites work, then somebody might try to attack the network. In this case stay away from further using the network.

  • Also, there are some countries like Iran which do state-wide traffic control, which sometimes includes SSL interception. This happened in 2011 and was detected by a similar error you got. If you live in such country or travel to it there is not much you can do, except maybe use a VPN which is fully under your own control to route your traffic outside this country. But such VPN might be blocked too.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
3

Public key pinning means the server has said

Not only is this cert vouched for by a reputable Certifying Authority, but any time you see a certificate claiming to be me, it will always be vouched for by one of these Certifying Authorities. If you see a certificate claiming to be me issued by a Certifying Authority other than these, it is bogus.

Your browser learned earlier the legit certifying authorities and is refusing to be fooled by what it sees as an attempt to fool it with a certificate from a rogue Certifying Authority.

You can check the certificate being offered with :

echo "" |openssl s_client -connect www.youtube.com:443 2>/dev/null |grep -E '^(subject|issuer)=/'

If it is not signed by the Google Internet Authority G2, then your traffic could be intercepted, or something is Not Right.

DTK
  • 1,190
  • 7
  • 8