[GLLUG] Installing SSL certificate at the request of a WiFi provider
Mike Brodbelt
mike at coruscant.org.uk
Sun May 8 08:50:51 UTC 2016
On 08/05/16 08:47, John Winters via GLLUG wrote:
> Just recently they've announced that they're introducing filtering of
> https connections, and thus you will also need to install a certificate
> provided by them if you are going to use it to access any https web sites.
My experience with this has been that this sort of thing is normally
done by installing a box that performs MiTM attacks by requiring a CA
cert installed. Sounds like this is what they're installing.
Example:-
https://www.bluecoat.com/sites/default/files/documents/files/How_to_Gain_Visibility_and_Control_of_Encrypted_SSL_Web_Sessions.a.pdf
Some commercial vendor s offer devices that support "SSL termination",
which is basically just session hijacking via an administratively
installed CA cert.
> Am I reading this correctly, or is there some less malign thing which
> they could be doing? Should I just stop using their WiFi and rely on my
> own 4G connection?
I would stop using their WiFi.
Defensive measures against this sort of thing are out there -
certificate pinning and HSTS in combination prevent downgrade attacks
and provide the browser with enough foreknowledge to reject connections
signed by malicious authorities.
Additionally, many of these places try DNS interception as well, and you
can now have fun by checking DNS results against Google over an HTTPS
connection:-
https://groups.google.com/forum/#!topic/public-dns-announce/p2iYauFuzIg
Of most value with cert pinning, of course. There aren't (yet) many
client implementations, but this one is a start:-
https://github.com/stancrm/google-dns-over-https-proxy
As a general point though, if anyone asks you to install their own CA
cert they're definitely not acting on your best interest. In my opinion,
I'd treat their network like poison and avoid at all costs.
HTH,
Mike
More information about the GLLUG
mailing list