Threat Prevention Threat Intelligence Database Behaving Strangely - for you too?

Currently reading
Threat Prevention Threat Intelligence Database Behaving Strangely - for you too?

507
189
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS212, RS816, RS819, DS223, DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
With threat intelligence database enabled, if I try to go to www.lynqme.com (a completely legitimate site), a very strange thing happens: Because that site has HSTS, it forces me to https, and I get a certificate mismatch error page from the browser. On looking at the details of the certificate, I see that it is showing MY certificate (a Let's Encrypt certificate loaded on my router), not lynqme's. Happens with all browsers, and doesn't happen if I connect through a third party VPN (which apparently bypasses threat intelligence on the router).

So it feels like there are two things going on: (1) www.lynqme.com is considered by the threat intelligence database to be a "threat," and (2) when Safe Access attempts to connect me to itself (to show me Safe Access's own error page), it gets confused somehow by my own cert.

Anyone else get similar results? Prerequisites: Safe Access is running; Threat Intelligence Database is enabled; you have an SSL Cert installed on the router; you attempt to browse to www.lynqme.com .
 
Last edited:
Hi Akahan,

The same happens here. Your URL gets blocked by Safe Access as category Malicious.

You can either add it to Safe Access's exception list, or press "proceed anyway" on the SRM blocking page. The blocking is also the reason why you end up with your LE certificate, since the blocking page is returned by your router using this certificate.

Best regards,
Roger
 
Thanks for confirming that the URL is blocked for you as well.

Unfortunately, and this is exactly what's weird, I don't get the SRM blocking page, with its "proceed anyway" option. Instead, I get a blocking page generated by the browser, which doesn't have a "proceed anyway" option. I get that because the browser won't connect with SRM's blocking page because of the "certificate error."
 
Last edited:
Sorry, I forgot to mention that the SRM page only shows up after you proceeded from the Browser blocking page. E.g. Chrome blocks the access because the certificate does not match the domain and after you tell Chrome you want to proceed anyway you end up with the SRM blocking page :). From there you can tell SRM you want to proceed anyway and (at least when I tried it before) you finally end up on the requested page without further interruption ;)

Chrome: See here for possible options (also note "option 3" in comments).

After all, if you are sure the page is of no harm, I would add it to the exception list in Safe Access.
 
I've made the exception, as I'm confident there's nothing malicious there.
While I was thinking about this, it occurred to me to try removing the cert from my router (for testing purposes...), and was surprised that there doesn't seem to be any way to do so! Am I missing something?
 
I guess that HTTPS is enabled in the web server and there's no way to disable it (through the portal).

To stop the SRM server certificate throwing a mis-match alert by the browser you can download the certificates and key from SRM. Then you install on local devices JUST the server certificate and change trust settings so browsers will accept it for any domain.

You may find that the categorisation is associative and not directly related to the web site you're trying to access. When web services are hosted in virtualised environments and accessed through a common IP then it could be a different tenant has caused the problem. Useful to check with AbuseIPDB
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

There is still no option in the Threat Prevention package to tell it to ignore Site-to-Site VPN tunnels...
Replies
0
Views
1,774

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top