February 18, 2017

Your connection is not private

Your connection is not private

Recently I was working with customer, were their external partner/customer sees security warning while join Skype for Business/Lync meeting from Chrome browser. Like above warning.

Why they joining meeting from browser? Remember Skype for Business / Lync meeting anyone join anonymously using browser without installing Skype for Business / Lync client on their machine.

Why certificate warning was showing?

This warning/error showed up is, because the website that runs on SHA-1 certificate, such websites are no longer supported by Chrome. There is no option to roll back to the older version of Chrome browser.

Customer was attempted to reach join.mydomain.com, but the server presented a certificate signed using a weak signature algorithm (such as SHA-1). This means that the security credentials the server presented could have been forged, and the server may not be the server you expected (you may be communicating with an attacker).

Remember, that Microsoft already made plan to depreciate SHA1 ( http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx).

In my case customer was using Entrust secure certificate for their external web service / meeting join simple URL and that certificates are SHA1 algorithm based. You simply open certificate (MMC > Add/Remove Snap-in.. > Certificate > add >Computer account > OK) and click on Details and see algorithm. Refer the below Image.

Is there workaround to these join meetings using Chrome?

Yes, you can simply use different browser, as Internet Explorer, Firefox and Safari browsers are still supporting websites that’s runs on SHA-1 certificate.

If you want to meeting using Chrome browser then, click on “ADVANCED” then you will see option “Proceed to Join.mydomain.com (unsafe)” simply click and then you will get allowed to join this meeting. Refer below screenshot.

In case you don’t want to join meeting then simply click on “Back to safety”.

To permanently resolve certificate warning, you must request new certificate with all SAN (Subject Alternative Names) and SHA2 algorithm from your certificate provider to avoid such warning. Remember these certificates are expensive so take your own call before ordering new certificate. J

Thank you.