1

If I want to go to https://www.example.com, can my ISP instead give me a different https website instead but make it look like it came from https://www.example.com If they do, will my browser tell me that I have the wrong website and if so, is that true for all of IE, Firefox and Chrome?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Simd
  • 587
  • 1
  • 4
  • 8

2 Answers2

1

If you connect such domain the certificate is checked by your browser. The certificate of the HTTPS server must be signed with one of certificate of certification authority your computer trusts. If it is not signed by it you will see warning from your browser the connection can't be trusted.

If ISP will be able to manage the certificate is signed by one of these certification authorities (or add another certification authority to your trusted certification authorities) you will not be able to notice it until you know, what CA issued the correct certificate for the server and you will check it manually in the browser.

This will never happen under "normal" conditions as public certification authorities will never issue certificate to anybody else than the server (domian) owner. And in order the ISP is able to install another certificate to your trusted CA store they have to somehow hack your PC or provide you a malicious code in some way (i.e. they give you a CD with some "drivers"). But its not that easy as it seems and I would say no ISP will risk something like this.

Edit: I forgot to mention that is server will use insecure protocol (i.e. SSLv2) with insecure encryption suite there is also possibility the MITM can happen.

Fis
  • 1,200
  • 7
  • 10
  • Does this answer apply? https://security.stackexchange.com/a/106723/71375 . I am not familiar with all the terms. – Simd May 31 '17 at 06:29
  • Seems yes, it also applies. But it describes in another words what I mentioned. – Fis May 31 '17 at 06:31
  • The ISP does not need to be malicious or infect. They can simply require that their customers install their cert in order to get service. This happens today. – schroeder May 31 '17 at 06:32
  • Would you do that? Me not. Or I would like to know the reason of that. In some countries, this can be a requirement. I can imagine that in China where everything is being monitored you are asked to do exactly this. On other hand, when I have been there I have been able to use SSL VPN with no restrictions and with no need to install any ISP certificate. – Fis May 31 '17 at 06:34
  • As you say, one does not always have a choice. – schroeder May 31 '17 at 06:36
  • But it depends on law. If they would ask me to to this in democratic country with no a law requiring this I would complain them. Or I would change ISP if possible. – Fis May 31 '17 at 06:37
  • I don't quite understand the first line. Assuming the ISP serves some valid https pages already so has some correctly signed pages to serve, how does the browser tell that it is not the real www.example.com page that it is getting? – Simd May 31 '17 at 06:56
  • The traffic is signed and encrypted by the web (HTTPS) server in the internet. Not by ISP. And HTTPS server add its certificate to the traffic so it can be checked on your side. – Fis May 31 '17 at 07:00
  • @Fis Thanks. But say the ISP is also a web (https) server with correctly signed web pages to serve. How does the browser know it is getting the ISP ones and not the ones it wants? I am assuming here that the ISP fully controls the traffic and never lets you access the true https server at all (and can fake all dns lookups). – Simd May 31 '17 at 07:04
  • @dorothy You probably mean the HTTPS server is fake and is held by ISP (or there is some kind of proxy in the middle). In that case you will see the certificate is not valid for the domain you are asking for. How come? Because ISP can't fake the certificate. And thats because the certificate must be signed by trustworthy certification authority. If it is not it is red in your browser. – Fis May 31 '17 at 07:16
  • You should mention HSTS, preloading, and certificate pinning in your answer as well. For instance, with certificate pinning the ISP will not be able to intercept the traffic even if it can sign "legitimate" certificates. – efr4k May 31 '17 at 11:24
  • @efr4k HTST is useless especially in case you can modify the first header received by browser for the first time. You can just simply filter it out. And Certificate pinning is useless in meaning of web as you have to distribute public certs with the application. – Fis May 31 '17 at 12:57
  • @Fis You assume the client always use that same ISP, and that the ISP is always mitm-ing every connection. Neither is necessarily true. You're probably right about pinning here, I thought browsers shipped out seeded with certain popular certificates, but could not find any reference to that. – efr4k May 31 '17 at 13:19
  • @efr4k True true. Its what I assume. But to be honest, even my "home" laptop is most of the time connected over single ISP. – Fis May 31 '17 at 13:24
  • @Fis I agree it's a problem, but even if you just connect to the web-service even once with a different ISP you are "safe" from that point forward. I would just like to see a small discussion around HSTS before I upvoted the answer :) – efr4k May 31 '17 at 13:29
  • @efr4k Agree, but in my case the probability of it is quiet low. Because even if I take my laptop out it highly probable I will not open some specific sites :( Another thing is it is bit recent technology and older sites (web servers) does not even support it or admins simply didn't switch it on :( – Fis May 31 '17 at 13:30
1

First, if you want to go to https://yourdomain.com then whatever browser you are using will first check your DNS server to check if there is any IP address listed against yourdomain.com. If you are using your ISP-provided DNS server then they can list a fake phishing webserver's IP address against yourdomain.com in their DNS server. So when your browser requested that IP you will redirect to the phishing website. This attack is called DNS poisoning. You are specifying ISP scenario that is why I am ignoring ARP cache poisoning option.

Now, if you are trying to access phishing site with https then whatever browser you are using should warn you about a security issue. Because the website you are trying to visit cannot provide proper certification details to your browser. Usually when a browser tries to access a legitimate website via https then the website provides proper certificate containing its digital signature and public key. Then the browser takes this certificate and verifies it against its list of trusted certificate authorities. If everything checks out then the connection between web server and browser get encrypted via webserver's private key. This communication also can be breached by an MITM method called SSL hijacking.

Here is a good documentation of how Digital Certification and SSL works. Also check here.

arif
  • 1,116
  • 13
  • 25