115

I found myself suddenly unable to access websites that use HTTPS, so I contacted my service provider, and they asked me to install a certificate in the Trusted Root Certificate Authorities store. But something isn't right: installing a certificate on every device connected to the same network just to be able to access websites that use HTTPS is just weird! How can I be sure that this certificate is issued by a trusted CA?

When I tried to install it, I got the following message:

Warning: If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk.

Here is the certificate information:

  • Version: V3
  • Serial num: 00 f8 ab 36 f3 84 31 05 39
  • Signature algo: sha1RSA
  • Signature hash algo: sha1
  • Issuer: ISSA, Internet, Internet, Beirut, Beirut, LB
  • Subject: ISSA, Internet, Internet, Beirut, Beirut, LB
  • Public Key: RSA (1024 bits)

It's valid until 2019.

And by the way, I'm in Lebanon.

I contacted my ISP again and they told me that they're using some kind of an accelerator to enhance the speed, and it needs authentication, so they chose to use a certificate instead of making the user enter a username and password every time they wants to access websites that use HTTPS. And they suggested that if I'm not okay with that, they would put me in a new pool. So what should I do?

alexia
  • 107
  • 6
Tarek
  • 1,063
  • 2
  • 7
  • 9
  • 76
    Sounds a bit dodgy. Like your ISP is middle-manning your HTTPS dodgy. What country/ISP? And can you give us the Cert details? – AlexH Feb 02 '15 at 17:13
  • possible duplicate of [Why firefox shows some connections are not secure?](http://security.stackexchange.com/questions/23095/why-firefox-shows-some-connections-are-not-secure) – Xander Feb 02 '15 at 17:23
  • 58
    yeah - ISP is doing MITM – schroeder Feb 02 '15 at 18:40
  • 57
    Whoa, that's scary. In layman's terms, your ISP is asking you to install a backdoor on your computer so they can monitor and/or modify your web traffic to secure (HTTPS) sites. If you install this certificate, your ISP can read any information you send over the internet on secure sites. Anything. That includes passwords, bank account numbers, whatever. Note that for regular, unsecured (HTTP) traffic, they already have this ability unless you use a VPN. – Ajedi32 Feb 02 '15 at 20:38
  • 29
    What your ISP told you is only a half truth! He is hiding the fact, that to accelerate your internet, he will use the certificate to deencrypt all your secure traffic, read it to compress it. This may (now) be done with good intentions (to save the ISP some money in infrastructure) - but this means you are wide opening your system and private data to a range of attacks and possible options to sell your private data – Falco Feb 03 '15 at 12:26
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/20841/discussion-on-question-by-tarek-i-cant-access-websites-that-use-https-instead). – Rory Alsop Feb 04 '15 at 15:05
  • 7
    Not allowed to answer... Just wanted to add, that some ISPs infact do this without bad intents. I had a UMTS stick a while back from O2 (germany). To allow a "good browsing experience" they intercepted all my traffic to reencoded all images to a lower quality to save bandwidth. It is possible that your ISP is trying something similar. Try to contact them to tell them, that you do not wish this service. – example Feb 04 '15 at 22:14
  • As a note: it's common for corporate networks to do exactly the same thing, intercepting all traffic via a root certificate that's pre-installed on corporate devices. You'd face the same issues when bringing in your own device to such a network but regular users would be unaware of this. – Lilienthal Feb 05 '15 at 19:52
  • Beside the points on privacy and security mentioned in the answers and depending on the country, you may want to point to your ISP that they will now be responsible for any issues related to your HTTPS browsing. This includes financial and health related transactions, which may cost them zillions. Make sure to keep a legally receivable copy of that warning (and point out in your letter that you will keep that copy). – WoJ Feb 05 '15 at 19:57
  • Could also be that the ISP wants to inject Javascript into all traffic instead of just HTTP, for tracking and advertising purposes. ISP in the US are doing that. Just as bad IMHO –  Feb 06 '15 at 14:56
  • 2
    "[My ISP] told me that ... it needs authentication, so they chose to use a certificate instead of making the user enter a username and password every time they wants to access websites that use HTTPS." - this is a blatant lie, but it's the kind of lie you might tell to appease users who want to know what you're doing but won't understand it (not *necessarily* a malicious lie). – user253751 Feb 09 '15 at 04:55
  • Every legitimate accelerator I am aware of does not accelerate HTTPS precisely due the lack of security it requires. This is usually not a big deal, as most HTTPS sites are not speed dependent. The main one that I know of that is is YouTube, but most accelerators don't handle video, and, even if they do, Google is good enough to have a way to shut off HTTPS for YouTube. – trlkly Feb 09 '15 at 09:11
  • @example: Of course O2 is _the one provider_ that became infamous in the early 2000s for being malicious on the largest possible scale (and not being clever about it). Remember when this guy filed a complaint because they charged each and every one of his mobile calls twice. Turned out they had forwarded the calls of hundred thousands of customers _over months_ to the BND and charged the customers for the forwarding (only pretty much nobody looks at their bills, so it took a while before someone noticed). – Damon Feb 09 '15 at 10:34
  • Even with best of intentions, being a trusted CA is a BIG deal. See [this answer](http://security.stackexchange.com/a/24906/132456) for all the security measures they should take. Your ISP certainly is not doing that. – jkd Dec 05 '16 at 07:44

6 Answers6

129

Whilst I don't know the specifics of your ISP, I would say that it's likely that what they're doing here is intercepting all traffic you send over the Internet. In order to do that (without you getting error messages whenever you visit an HTTPS encrypted site), they would need to install a root certificate, which is what you mention in your post.

They need to do this as what this kind of interception usually entails is creating their own certificate for each site you visit. so for example if you visit https://www.amazon.com they need to have a certificate that your browser considers valid for that connection (which is one issued by a trusted Certificate Authority, either one provided with the browser or one you manually install).

From your perspective, the problem here is it means that they can see all your Internet traffic including usernames/passwords/credit card details. So if they want to, they can look at that information. Also if they have a security breach it's possible that other people might get access to that information. In addition, they may also gain access to any account that you access over this Internet connection (e.g., email accounts). Finally, installing this root certificate allows them to modify your Internet traffic without detection.

What I would recommend is that you query with them exactly why they need to see the details of your encrypted traffic (e.g., is this a legal requirement for your country) and if you're not 100% satisfied with the response, get a new ISP. Another possibility is to use a VPN and tunnel all your traffic through the VPN. If you are not happy with your ISP gaining this access to your HTTPS connections, do not install the root certificate they provided you.

D.W.
  • 98,860
  • 33
  • 271
  • 588
Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • 40
    Note that even if you don't install the root certificate, this kind of behavior from your ISP probably indicates that they are already monitoring your unencrypted HTTP traffic (even if they can't monitor your HTTPS traffic without you installing the certificate or ignoring the security warnings from your browser). – Ajedi32 Feb 02 '15 at 20:35
  • 38
    Also, it appears they're *requiring* you to take their man-in-the-middle certificate by blocking all SSL traffic until you do. This is SERIOUSLY invasive. I'd go shopping for another provider NOW. Oh, and go get TOR if/while you still can. – Eric Lloyd Feb 02 '15 at 22:06
  • 16
    Don't forget to check the cheksums of TOR to be sure they didn't intercept it too – Freedo Feb 02 '15 at 22:43
  • 20
    @Freedom: Check against what? Published checksums on HTTP sites might have been tampered, those on HTTPS are blocked. If OP posts a postal address, someone might mail him some checksum, but that someone might still be the ISP, government, secret service or whatever in disguise. It's hard to build trust without any kind of trust anchor. Enough different people providing the same fingerprints in enough different forums uwing enough different protocols (HTTP, IRC, News, Mail) may render consistent tampering less likely, but can you ever be certain, short of reading all TOR sources yourself? – MvG Feb 03 '15 at 01:40
  • 4
    @Freedom There are multiple ways to "find-and-replace", at an MITM proxy level, all valid hashes on the Internet, with those of the tainted package. – nanofarad Feb 03 '15 at 11:22
  • @Commenters, please refrain from having extended discussions in comments - especially ones that are only tangentially related to the topic. Please use [chat] for anything more. – AviD Feb 03 '15 at 19:29
  • 3
    One of the most important points: **Even if your ISP is trustworthy** you are at risk that anyone gets hold of the private Key of this certificate. If you got it from som dodgy guy on their help-line, maybe he switched it with his own Certificate and tries a scam, or someone hacks their compression server... – Falco Feb 04 '15 at 13:36
  • 2
    I STRONGLY recommend anyone considering checksums to verify TOR, or any other binary, for security purposes reconsider, and instead verify the digital signature of the binary provided by the creators. TOR provides a [very helpful tutorial](https://www.torproject.org/docs/verifying-signatures.html) on how to verify its signature. – Dan Herbert Feb 05 '15 at 03:40
  • @Roy Could you post the certificate fingerprint of the certificate they asked you to install? Thanks. – Riking Feb 05 '15 at 19:03
  • 1
    @EricLloyd: That's not correct. The ISP is not blocking all SSL traffic; it's just that they've already started MITM-ing, so the *browser* is blocking the traffic (since it doesn't recognize the certificate). I won't claim that this is "reasonable", because the whole thing is not reasonable, but the MITM has no way of detecting whether a given user has installed the root cert yet, so this specific aspect of it is not special ISP misbehavior. (But they should have made the whole thing opt-in.) – ruakh Feb 06 '15 at 19:31
  • 1
    @ruakh, Point well taken. When the OP said they couldn't visit https sites, I assumed it was an all-out block, with no way to bypass it. My thinko. :-) – Eric Lloyd Feb 06 '15 at 19:45
  • I agree with this explanation. It sounds a bit like what Nokia did with Ovi, which was supposedly a legitimate mobile proxy to improve network performance - https://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ – Aaron Newton Feb 07 '15 at 13:30
  • What point is tunneling your communication through VPN given that your ISP can intercept your VPN tunnel, unwrap it intercept the contents recursively? And if they don't recognise the VPN protocol, they can always shut it down. – John Dvorak Jul 11 '16 at 17:32
  • @JanDvorak how would the ISP intercept the VPN traffic without the keys to do so? Of course the ISP can block anything they like, although they'd need to recognise the traffic as VPN and block it. The point of using a VPN is to avoid interception on the local ISP network where they're using standard interception techniques. – Rory McCune Jul 11 '16 at 20:42
51

This is a request to surrender all your privacy and security to them.


It is a very simple technical issue - they have blocked encrypted and secure HTTPS connections. "Reenabling" it by installing their certificate will now allow you to use encrypted and "secure" connections, but it will give your ISP full access to view your online data, modify anything you download (including inserting backdoors or malware in any downloaded software), modify or filter anything you upload, and gain all the online access credentials (passwords, cookies, other security tokens) that you use through HTTPS.

This is not simply a potential theoretical risk. In fact, you should expect that they are already doing some or all of this - it's the only practical reason why they put the effort to block and require their certificate in the first place.

Only if you desire to have this connection despite the aforementioned issues, then you can accept their certificate. A good paid VPN can be a solution, however, it's possible that they will be blocking VPNs as well; it may be the case that you have to choose between a monitored and insecure connection controlled by someone else and no connection at all.

Cole Tobin
  • 109
  • 2
  • 10
Peteris
  • 8,389
  • 1
  • 27
  • 35
  • If they block VPN or VPN ports, would it be possible to setup (a personal) VPN (server) over port 80 and use that? – SPRBRN Feb 03 '15 at 11:10
  • 1
    @SPRBRN Yes, but that would be pointless. If the VPN server is running on your local network, then it is subject to the exact same monitoring and restrictions by your ISP that you would be if you weren't using a VPN. – Ajedi32 Feb 03 '15 at 14:49
  • 1
    Using a VPN-server that is on the same network as the client is pointless by itself. The VPN-server should be located elsewhere, either hosted with a VPN provider, or hosted in personal VPS. That last option would make it possible to run it on port 80 on that server. That was my suggestion. That traffic is allowed. It would be the same to run an SSH server on that server on port 80 instead of port 22. – SPRBRN Feb 03 '15 at 15:02
  • 1
    @SPRBRN Ah, I see. You were talking about bypassing the block by connecting to the VPN over port 80 rather than the usual port, not about setting up a personal VPN on your local network. Sorry for the misunderstanding. – Ajedi32 Feb 03 '15 at 15:05
  • "it's the only practical reason why they put the effort to make this blocking & certificate in the first place" From the OP's edit, it looks like the OP's ISP has cited a different practical reason for doing this sort of MITM. – Ajedi32 Feb 03 '15 at 15:06
  • They're likely not *blocking* anything. They're *intercepting* traffic, but it's likely that the browser is doing the blocking. – Rawling Feb 05 '15 at 14:24
15

In effect your ISP is reading all your mail.

Think of your internet connection as a series of letters being sent over pony express. The error you are seeing is your browser complaining that your mail has been opened by someone and resealed with the wrong wax seal rather than the expected, for example Google's, wax seal.

What your ISP is telling you to do is retrain your browser to treat the ISP seal as being more trust worthy than Google's seal.

The error is correct. It is telling you that your ISP is reading your mail. Don't do what they say. Change your ISP now.

Aron
  • 753
  • 4
  • 13
8

I agree this sounds very dodgy, but I might have an idea that might help, I can only assume you are using your ISP DNS servers, and I assume you are using a router. Why not just change the IP address to your external DNS server to something like Googles open DNS servers 8.8.8.8 and 8.8.4.4. If that stops the error message and assuming you have NOT installed the ISP certificate, then you know the problem is solved. It is very likely that is how they are controlling traffic, many people do not know how to manually change their DNS servers and everyone needs to use DNS to go to a website, so this idea might help.

Additionally you could go with a Private VPN service like https://www.privateinternetaccess.com/, I find their data center in Texas is great, but depending on where you are, you might like a different one, and they provide end to end encryption so that too might help. All that said, going to a new ISP is the best choice, the only way the ISP is going to learn, will be when they see their customers leaving for the competition.

Good Luck

Frank R
  • 201
  • 1
  • 2
4

I have done some research on the Lebanese Internet Regulation Act. Basically, your minister of information, Walid Al-Daouq, proposed a law in 2012 (which didn't make it) that would have put heavy stress on the freedom of speech in Lebanon.

The law has since been stopped, but it's possible that your ISP has come under pressure from the government to monitor Internet traffic on a national scale in order to find people that are threatening national security. Lebanese law has censorship for matters that affect national security, so it's not a stretch to assume that they'll ask ISPs to monitor all forms of traffice.

You might also have heard of Mia Khalifa. She's recently been voted the "Number 1 porn star", and since she's from Lebanon, the government is not happy with that. Her popularity might have something to do with the recent rush for monitoring.

Nzall
  • 7,373
  • 6
  • 30
  • 45
  • 1
    [\[citation needed](http://en.wikipedia.org/wiki/Wikipedia:Citation_needed)\] _(I'm not disagreeing with you, I just think your answer would be better citing or linking to information found in your research)_ – IQAndreas Feb 08 '15 at 20:29
1

If they have done this, depending on your region, this may be looked at as a human rights violation under "right to private life".

The error you're receiving is actually a common problem.

Whoever you spoke to from your ISP may not know what you're talking about and simply fobbed you off asking you to install certificates.

Since getting this error, have you tried looking at your clock on your computer? If it's not set correctly, the time on certificates (which are set according to the certificate authority's time) will not be the same on your machines, therefore prompting you with a message such as, "your traffic is not secure".

Don’t simply allow the certificates as this defeats the purpose, and if you don’t know what you're doing, you can make mistakes which will cost you!

It is the job of a certificate authority, such as Verisign, to verify it and all you need to do is to make sure your systems are not compromised and you set your clock.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Rio Hazuki
  • 55
  • 2
  • 4
    +1 While I think that your tone is a bit uncalled for (don't try to add ideology into this, and don't talk down other people's contributions, especially if they find a lot of upvotes), I absolutely agree with the fact that one should check the simplest sources of errors first. An incorrect system clock has caused me that exact problem before! – Domi Feb 03 '15 at 14:48
  • 4
    People seriously need to stop moaning about "rights" when it's entirely illogical to do so. – Lightness Races in Orbit Feb 04 '15 at 16:28
  • Clock skew would result in every certificate looking like it has expired — there's no indication of that in the question. – 200_success Feb 08 '15 at 18:12