I can't access websites that use HTTPS, instead getting the message "your connection is not private"!
I found myself suddenly unable to access websites that use HTTPS, so I contacted my service provider, and they asked me to install a certificate in the Trusted Root Certificate Authorities store. But something isn't right: installing a certificate on every device connected to the same network just to be able to access websites that use HTTPS is just weird! How can I be sure that this certificate is issued by a trusted CA?
When I tried to install it, I got the following message:
Warning: If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk.
Here is the certificate information:
- Version: V3
- Serial num: 00 f8 ab 36 f3 84 31 05 39
- Signature algo: sha1RSA
- Signature hash algo: sha1
- Issuer: ISSA, Internet, Internet, Beirut, Beirut, LB
- Subject: ISSA, Internet, Internet, Beirut, Beirut, LB
- Public Key: RSA (1024 bits)
It's valid until 2019.
And by the way, I'm in Lebanon.
I contacted my ISP again and they told me that they're using some kind of an accelerator to enhance the speed, and it needs authentication, so they chose to use a certificate instead of making the user enter a username and password every time they wants to access websites that use HTTPS. And they suggested that if I'm not okay with that, they would put me in a new pool. So what should I do?
Sounds a bit dodgy. Like your ISP is middle-manning your HTTPS dodgy. What country/ISP? And can you give us the Cert details?
possible duplicate of Why firefox shows some connections are not secure?
Whoa, that's scary. In layman's terms, your ISP is asking you to install a backdoor on your computer so they can monitor and/or modify your web traffic to secure (HTTPS) sites. If you install this certificate, your ISP can read any information you send over the internet on secure sites. Anything. That includes passwords, bank account numbers, whatever. Note that for regular, unsecured (HTTP) traffic, they already have this ability unless you use a VPN.
What your ISP told you is only a half truth! He is hiding the fact, that to accelerate your internet, he will use the certificate to deencrypt all your secure traffic, read it to compress it. This may (now) be done with good intentions (to save the ISP some money in infrastructure) - but this means you are wide opening your system and private data to a range of attacks and possible options to sell your private data
Comments are not for extended discussion; this conversation has been moved to chat.
Not allowed to answer... Just wanted to add, that some ISPs infact do this without bad intents. I had a UMTS stick a while back from O2 (germany). To allow a "good browsing experience" they intercepted all my traffic to reencoded all images to a lower quality to save bandwidth. It is possible that your ISP is trying something similar. Try to contact them to tell them, that you do not wish this service.
As a note: it's common for corporate networks to do exactly the same thing, intercepting all traffic via a root certificate that's pre-installed on corporate devices. You'd face the same issues when bringing in your own device to such a network but regular users would be unaware of this.
Beside the points on privacy and security mentioned in the answers and depending on the country, you may want to point to your ISP that they will now be responsible for any issues related to your HTTPS browsing. This includes financial and health related transactions, which may cost them zillions. Make sure to keep a legally receivable copy of that warning (and point out in your letter that you will keep that copy).
"[My ISP] told me that ... it needs authentication, so they chose to use a certificate instead of making the user enter a username and password every time they wants to access websites that use HTTPS." - this is a blatant lie, but it's the kind of lie you might tell to appease users who want to know what you're doing but won't understand it (not *necessarily* a malicious lie).
Every legitimate accelerator I am aware of does not accelerate HTTPS precisely due the lack of security it requires. This is usually not a big deal, as most HTTPS sites are not speed dependent. The main one that I know of that is is YouTube, but most accelerators don't handle video, and, even if they do, Google is good enough to have a way to shut off HTTPS for YouTube.
@example: Of course O2 is _the one provider_ that became infamous in the early 2000s for being malicious on the largest possible scale (and not being clever about it). Remember when this guy filed a complaint because they charged each and every one of his mobile calls twice. Turned out they had forwarded the calls of hundred thousands of customers _over months_ to the BND and charged the customers for the forwarding (only pretty much nobody looks at their bills, so it took a while before someone noticed).
Whilst I don't know the specifics of your ISP, I would say that it's likely that what they're doing here is intercepting all traffic you send over the Internet. In order to do that (without you getting error messages whenever you visit an HTTPS encrypted site), they would need to install a root certificate, which is what you mention in your post.
They need to do this as what this kind of interception usually entails is creating their own certificate for each site you visit. so for example if you visit https://www.amazon.com they need to have a certificate that your browser considers valid for that connection (which is one issued by a trusted Certificate Authority, either one provided with the browser or one you manually install).
From your perspective, the problem here is it means that they can see all your Internet traffic including usernames/passwords/credit card details. So if they want to, they can look at that information. Also if they have a security breach it's possible that other people might get access to that information. In addition, they may also gain access to any account that you access over this Internet connection (e.g., email accounts). Finally, installing this root certificate allows them to modify your Internet traffic without detection.
What I would recommend is that you query with them exactly why they need to see the details of your encrypted traffic (e.g., is this a legal requirement for your country) and if you're not 100% satisfied with the response, get a new ISP. Another possibility is to use a VPN and tunnel all your traffic through the VPN. If you are not happy with your ISP gaining this access to your HTTPS connections, do not install the root certificate they provided you.
Note that even if you don't install the root certificate, this kind of behavior from your ISP probably indicates that they are already monitoring your unencrypted HTTP traffic (even if they can't monitor your HTTPS traffic without you installing the certificate or ignoring the security warnings from your browser).
Also, it appears they're *requiring* you to take their man-in-the-middle certificate by blocking all SSL traffic until you do. This is SERIOUSLY invasive. I'd go shopping for another provider NOW. Oh, and go get TOR if/while you still can.
@Freedom: Check against what? Published checksums on HTTP sites might have been tampered, those on HTTPS are blocked. If OP posts a postal address, someone might mail him some checksum, but that someone might still be the ISP, government, secret service or whatever in disguise. It's hard to build trust without any kind of trust anchor. Enough different people providing the same fingerprints in enough different forums uwing enough different protocols (HTTP, IRC, News, Mail) may render consistent tampering less likely, but can you ever be certain, short of reading all TOR sources yourself?
@Freedom There are multiple ways to "find-and-replace", at an MITM proxy level, all valid hashes on the Internet, with those of the tainted package.
@Commenters, please refrain from having extended discussions in comments - especially ones that are only tangentially related to the topic. Please use [chat] for anything more.
One of the most important points: **Even if your ISP is trustworthy** you are at risk that anyone gets hold of the private Key of this certificate. If you got it from som dodgy guy on their help-line, maybe he switched it with his own Certificate and tries a scam, or someone hacks their compression server...
I STRONGLY recommend anyone considering checksums to verify TOR, or any other binary, for security purposes reconsider, and instead verify the digital signature of the binary provided by the creators. TOR provides a very helpful tutorial on how to verify its signature.
@Roy Could you post the certificate fingerprint of the certificate they asked you to install? Thanks.
@EricLloyd: That's not correct. The ISP is not blocking all SSL traffic; it's just that they've already started MITM-ing, so the *browser* is blocking the traffic (since it doesn't recognize the certificate). I won't claim that this is "reasonable", because the whole thing is not reasonable, but the MITM has no way of detecting whether a given user has installed the root cert yet, so this specific aspect of it is not special ISP misbehavior. (But they should have made the whole thing opt-in.)
@ruakh, Point well taken. When the OP said they couldn't visit https sites, I assumed it was an all-out block, with no way to bypass it. My thinko. :-)
I agree with this explanation. It sounds a bit like what Nokia did with Ovi, which was supposedly a legitimate mobile proxy to improve network performance - https://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/
What point is tunneling your communication through VPN given that your ISP can intercept your VPN tunnel, unwrap it intercept the contents recursively? And if they don't recognise the VPN protocol, they can always shut it down.
@JanDvorak how would the ISP intercept the VPN traffic without the keys to do so? Of course the ISP can block anything they like, although they'd need to recognise the traffic as VPN and block it. The point of using a VPN is to avoid interception on the local ISP network where they're using standard interception techniques.