SSL Protocol Error

[tkrebs2]

🐛 bug report

Bug Description -

As of a few days ago I'm unable to reach any codesandbox url's. I'm getting an ssl protocol error. I've tried any recommendations I could find on google, twitter, github, etc. I tried clearing SSL state in keychain, lowering firewall settings, blowing away any browser caches. Not sure what other actions I can take to resolve this issue or even if this is a codesandbox issue.

I've tried Firefox and Safari as well with the same result.

macOS Catalina - 10.15.4 Chrome - Version 81.0.4044.138 (Official Build) (64-bit)

[garethx]

We've seen this recently when an ISP blocked the site. Can you confirm which ISP you're with?

[lbogdan]

Might be related to this Twitter thread.

[tkrebs2]

We've seen this recently when an ISP blocked the site. Can you confirm which ISP you're with?

I've pinged both codesandbox.io and csb.app and I'm not seeing any issue there. My ISP is Comcast in the greater Baltimore area in Maryland. Is this something I can contact them about and find out why it's being blocked all of a sudden?

[lbogdan]

Yeah, it's not a simple IP filter (as we're using Cloudflare, those two hostnames should resolve to Cloudflare's IPs - something like 104.18.22.207, and simply filtering them would filter much more than just CodeSandbox), but some kind of site-aware filtering, that also breaks SSL in the process. We'll open a ticket with Cloudflare, just in case, but I think it would help more if you'd also open a ticket with Comcast, as all the people affected seem to be Comcast customers.

[tkrebs2]

I'll reach out to my ISP and see what they have to say about it. I'll post back with my findings.

[tkrebs2]

I reached out and they basically said to lower firewall security to low (lol). Upon further inspection I found that the url was flagged by XFi advanced security, which can be found on your admin dashboard for xfinity (whatever that is and how/what they're determining to block idk). I'm able to access the site now. I asked for a more technical explanation but don't think that's going to happen.

[lbogdan]

Thanks for the update!

So is that XFi Advanced Security a Comcast thing? Is it running on your router?

[tkrebs2]

Yeah It's running on the modem/router. I assume it's standard through Xfinity XFi services.

[tkrebs2]

For future reference, when you sign into your xfinity/comcast account, click the WiFi symbol in the top bar > Network > Click on your network name > Advanced Security > Disable. This is what solved it for me.

[liquid1982]

Same issue here. The "Advanced Security" option was removed from their app as far as I can tell, and it is no longer possible to opt out of their "Advanced Security" program.

[liquid1982]

Update: they moved the option from Network to the "More" menu, under "My Services".

[garethx]

Yes, see their help doc on finding this: https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security#Dis

[ostoh]

Hit this SSL issue today. Found out codesanbox.io is also being blocked by a Kenyan ISP. It redirects to thunda.co and that the IP of that domain is also associated with the ISP. Weird.

[farmanp]

Is there further action being taken for resolving this issue?

[garethx]

We've been trying to work with Xfinity, but not progressing. However, we've had more success with OpenDNS/Cisco Umbrella and they've changed their classification, which should help with this as it looks like they make use of their lists. We'd be interested to know whether Xfinity folks are still having problems?

[github-actions[bot]]

This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made.