7

Context:
I'm currently working as an expat for my company in a country where the Internet is notably untrustworthy. It made the headlines a few months ago for stealing facebook, twitter and gmail account passwords.

There was a revolution back in January and things are supposed to have improved.

And indeed they have, since when I connect to the Internet from home using one of the local provider's 3G HSPD connection things are much smoother (but still rough on the edges like systematic 403 messages sometimes => goto reboot the modem).

Problem
But...
There's always a but...
When however I connect from the customer's premises then, among other weird things1, no SSL certificate is recognised (my company's sso, gmail...) !!!

Whenever I attempt to connect through https, my browser shows a warning page to give me a chance to manually validate the certificate.

www.google.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_ca_cert_invalid)

Questions
1. What's going on here ?
2. Is there any risk in manually accepting these certificates ?
3. Is this also likely to be the reason why I can't access my company's Cisco VPN any more (I can ping the public VPN server address but the Cisco VPN client times out).


Note 1: The net admins have also barred access to facebook and whenever you connect to a page (e.g. news media) having a link to Facebook, the browser pops up a dialog box asking what you want to do with the like.php. Probably wrong MIME type in the response. NB: I have no Facebook account to start with.
nealmcb
  • 20,693
  • 6
  • 71
  • 117
Alain Pannetier
  • 277
  • 5
  • 9
  • 5
    So company or country are mitm 'ing you. You're screwed. But if the ISP of the company is complicit then you might be able to find another provider. – Andrew Russell May 13 '11 at 11:40
  • 1
    @Andrew - Thx. Unfortunately, the ISP and the company are one single entity. Some of us bring their 3G modem from the other ISP in the office and use these as cleaner wifi APs (the modems are not hooked to a particular BTS). The "phenomenon" described above is the latest development in a steadily deteriorating situation. – Alain Pannetier May 13 '11 at 11:46

2 Answers2

14

1. What's going on here ?

Google.com does not use a self-signed certificate. Most probably all traffic is going through a ssl-aware proxy (there are commercial appliances that do this sort of job), which intercepts and handles HTTPS connections (in other words it performs a man-in-the-middle attack). It masquerades as google.com for example: If it serves you google.com under the original certificate it will not be able to see the traffic details of the encrypted connection, so it uses a self-signed certificate for the part from you to the proxy, decrypts the traffic, and then reencrypts it using google's correct certificate and forwards it to google.

2. Is there any risk in manually accepting these certificates ?

Are you doing or sending something you don't want whoever is operating the proxy to find out? If yes, there is. The proxy operators can see and change everything - passwords, logins, credit card numbers, anything. What is happening here is that all your supposedly encrypted connections are in reality plaintext connections and have the same degree of security as them.

3. Is this also likely to be the reason why I can't access my company's Cisco VPN any more (I can ping the public VPN server address but the Cisco VPN client times out).

Yes, if it also intercepts VPN connections and tries to mitm them, you wouldn't be able to connect because the mutual authentication will fail.

Finally, I would suggest that you use this firefox extension: (called Perspectives) http://www.networknotary.org/index.html

It is made specifically to combat issues like that and others: It allows you to monitor if a site you visit often has changed it's certificate, so that you know that something fishy is going on.

john
  • 10,998
  • 1
  • 36
  • 43
4

I'm sorry to hear that. For another example of this, see this EFF story: An ongoing man-in-the-middle attack on the HTTPS version of Facebook in Syria puts users there at risk

One remedy they suggest is using Tor. But of course your network provider (like the Syrians) may be blocking Tor also, in which case your choices are getting another ISP or being completely circumspect in your use of your current one.

nealmcb
  • 20,693
  • 6
  • 71
  • 117