

You can still display your custom error message to users connecting to port 80, but as others have pointed out, you can't do that with HTTPS as the entire purpose of HTTPS is to prevent that. If the connection is hijacked at DNS layer and a TCP RST is sent when attempting a connection to port 443, the browser will display it's own error message such as "This webpage is not available", which is much better than the certificate warning. Responding with an ICMP error or simply dropping the SYN is not guaranteed to be handled well by the sending TCP stack. Make sure the TCP SYN packets get a TCP RST packet in return. On the edge of your network, block all outgoing connections to that IP address except from port 80. If you want to stay with OpenDNS, I recommend you find the IP address they direct hijacked connections to. The reason I think it is such a bad practice is that it may cause some users to think there exist legitimate reasons for hijacking SSL, such misconception is bad for security. Based on your description it sounds like that sort of hijacking is exactly what OpenDNS is doing. Hijacking SSL and then serving an invalid certificate is a bad practice that people need to complain about whenever it happens.

Therefore the error keeps coming up.ĭoes anyone have an idea on how to disabling, bypassing or working around this "feature"?ĮDIT: This is an example what I am talking about -ĮDIT 2: My clocks are correct. However there is an automatic redirect to HTTPS on most sites.
