NordVPN--Couldn't establish a secure connection... internet traffic intercepted?

[Wallace_n_Gromit]

In all the years having a NordVPN subscription (4+ years) have never seen such a pop up message before.

1) Using NordVPN -- it's been active for several days. just leave my computer on 24/7.

2) Using Firefox browser at https://armory.worldofwarships.com/ for the prior 2 hours or so.

3) Had several tabs open (in that Firefox browser) including a youtube.com, and two voice.google.com sessions.

4) Was launching games from the World of Warships game launcher for the prior hour or so.

Any idea(s)?

 

[Tech Junky]

Are you using the app or just the browser extension?

I have the app running on my Linux server that is also my router and a few other functions and I have it auto connect by CLI. I know they did an update recently to the app that required some trickery to login again but, not sure why you would see a prompt for a new certificate that was issued back in 2016. Seems a bit odd to say the least.

First thing I would do is check the status of the app and then check your IP and make sure it's a VPN IP and not your real one.

Also, you can take the fingerprint from the message and google the cert to see if there's something that got compromised or verify the validity.

 

[Wallace_n_Gromit]

Are you using the app or just the browser extension?

I have the app running on my Linux server that is also my router and a few other functions and I have it auto connect by CLI. I know they did an update recently to the app that required some trickery to login again but, not sure why you would see a prompt for a new certificate that was issued back in 2016. Seems a bit odd to say the least.

First thing I would do is check the status of the app and then check your IP and make sure it's a VPN IP and not your real one.

Also, you can take the fingerprint from the message and google the cert to see if there's something that got compromised or verify the validity.

I am using the app. NordVPN v. 7.8.4.0

The app does show GREEN i.e. connected. When I go to dnsleaktest.com it does show an ip address that is not my own.

I did block out the thumbprint (dunno if that was really necessary to do that--maybe better to show it?) will try and google the thumbprint see what shows up.

ADD: after a google search did come across this:

gtsr4_old.der: CN=GTS Root R4,O=Google Trust Services LLC,C=US (Root Certificate, Expiring 2036-06-22) detail info and audit record

Certificate CN=GTS Root R4,O=Google Trust Services LLC,C=US detail info and audit record. Decoded subject, issuer, crl, ocsp, der and pem format download.

www.e2encrypted.com

"Invalid security certificate" message | NordVPN support

Is your NordVPN displaying an Invalid security certificate error? This may happen for a number of reasons. Click here to find out more.

support.nordvpn.com

It's a SHA-1 fingerprint. hummmm, I seem to recall that SHA-1 was being deprecated?

SHA-1 Fingerprint : 2a1d6027d94ab10a1c4d915ccd33a0cb3e2d54cb

Just don't understand why the NordVPN message just popped up out of nowhere. I wasn't doing anything out of the ordinary.

 

[Tech Junky]

Meh. I would just ignore it for the time being. My app in Linux sometimes spits messages in syslog for oddities periodically as well.

 

[Wallace_n_Gromit]

Meh. I would just ignore it for the time being. My app in Linux sometimes spits messages in syslog for oddities periodically as well.

Maybe just a random oddity like you said. I opted for the [Don't Trust] command button and everything seemed to still be working ok/normally. I was on my Windows 10 desktop.

 

[Tech Junky]

Looks like there's been a few cert swaps. Not sure if there's been expirations or revocations and replacements but, here's what changed when I ran an update just now.

Importing into legacy system store:
I already trust 148, your new list has 137
8 previously trusted certificates were removed.
Certificate removed: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Certificate removed: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate removed: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R1
Certificate removed: O="Cybertrust, Inc", CN=Cybertrust Global Root
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R2
Certificate removed: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC
Certificate removed: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
Import process completed.

Importing into BTLS system store:
I already trust 141, your new list has 137
Certificate added: C=US, O=Google Trust Services LLC, CN=GTS Root R1
Certificate added: C=US, O=Google Trust Services LLC, CN=GTS Root R2
Certificate added: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
3 new root certificates were added to your trust store.
8 previously trusted certificates were removed.
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R2
Certificate removed: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
Certificate removed: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate removed: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
Certificate removed: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R1
Certificate removed: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Certificate removed: O="Cybertrust, Inc", CN=Cybertrust Global Root
Import process completed.

Looks like Google dropped a couple and added a couple to replace them.

 

[Wallace_n_Gromit]

Looks like there's been a few cert swaps. Not sure if there's been expirations or revocations and replacements but, here's what changed when I ran an update just now.

Importing into legacy system store:
I already trust 148, your new list has 137
8 previously trusted certificates were removed.
Certificate removed: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Certificate removed: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate removed: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R1
Certificate removed: O="Cybertrust, Inc", CN=Cybertrust Global Root
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R2
Certificate removed: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC
Certificate removed: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
Import process completed.

Importing into BTLS system store:
I already trust 141, your new list has 137
Certificate added: C=US, O=Google Trust Services LLC, CN=GTS Root R1
Certificate added: C=US, O=Google Trust Services LLC, CN=GTS Root R2
Certificate added: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
3 new root certificates were added to your trust store.
8 previously trusted certificates were removed.
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R2
Certificate removed: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA
Certificate removed: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011
Certificate removed: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority
Certificate removed: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC
Certificate removed: C=US, O=Google Trust Services LLC, CN=GTS Root R1
Certificate removed: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign
Certificate removed: O="Cybertrust, Inc", CN=Cybertrust Global Root
Import process completed.

Looks like Google dropped a couple and added a couple to replace them.

Saw that message today again on my computer from NordVPN also referring to the same SHA-1 fingerprint/thumbprint from google.

Like you are referring to above, maybe google is removing/installing certificates and NordVPN is just notifying/warning me that some certificates have/are being changed.

 

[Tech Junky]

That's going to be my guess as well. I'm sure there's probably some windows update related as well to update them. I have mine disabled in windows and by DNS so, can't really help there.