Background info
Recently I started using a Sophos VM Firewall at home for my own traffic. I know Palo Alto Networks Firewalls on a deeper technical level, but I wanted to experience what other vendors do, to have a better feeling what the differences are.
Sophos has a pretty generous free tier for home users. Unfortunately most other vendors don’t have that.
ChatGPT Error
I noticed that I couldn’t use ChatGPT in the webinterface anymore. I always got this “Something went wrong” error.
First I thought it was a ChatGPT server error, so I did a quick google search and saw that a lot of people had this problem. I didn’t read through all the replies but some wrote that it went away after they disabled their VPN.
Okay, then it could really have something to do with the TLS decryption I enabled on my firewall, right? I checked the logs
action Decrypt is normal. Hm. Let’s investigate further.
Packet capture
With decryption from the firewall enabled I made a packet capture locally on the client.
I noticed that I get a 403 Forbidden as a response from ChatGPT for the moment I click the send button
I also checked how the traffic looks like when the decryption is not enabled. And then I noticed something while using Wireshark a little bit later when trying to follow the HTTP stream.
It seemed that there was HTTP/1.1 traffic when decryption was enabled.
Dev tools
Quick check in the browser’s dev tools (visiting this blog)
Decryption enabled
Decryption disabled
and indeed, it’s HTTP/1.1 (protocol column).
I couldn’t find an official answer on this, but I think for decryption Sophos doesn’t support HTTP/2
Some time after a PUT to https://chat.openai.com/backend-api/conversation via HTTP/1.1 there is the HTTP 403 error.
At this point I knew that the firewall’s decryption causes the problem. I’d guess that there might be an issue with the Cloudflare proxy on ChatGPT’s side too, but I didn’t want to troubleshoot further. I disabled decryption for ChatGPT and everything works again now.
For users having this issue: What else could it be
If this error really can be limited to the decryption / HTTP/1.1 downgrade, the following tools could cause the issue:
- VPN “protection” products
- Counter measure: Open provider ticket or disable content inspection only for ChatGPT.
- My 2 cents: I don’t know if letting a random consumer VPN provider decrypt all your traffic is such a good idea to begin with
- Endpoint protection (Antivirus Software) that decrypts traffic locally
- Counter measure: Open provider ticket or disable content inspection only for ChatGPT.
- Company network or VPN where decryption is enabled
- Counter measure: Ask your company admin. If this also happens with other firewall vendors, it could be fixed by changing the decryption settings.
You can usually find out if decryption is enabled, when you look at the root certificate on any external website in your browser. If it’s issued by a security vendor or your company, traffic is most likely decrypted.
Decryption enabled
Trusted root certificate: lab-cert
Decryption disabled
Trusted root certificate: ISRG Root X1 (the regular one)