[GLLUG] Installing SSL certificate at the request of a WiFi provider

Mike Brodbelt mike at coruscant.org.uk
Sun May 8 08:50:51 UTC 2016

On 08/05/16 08:47, John Winters via GLLUG wrote:

> Just recently they've announced that they're introducing filtering of
> https connections, and thus you will also need to install a certificate
> provided by them if you are going to use it to access any https web sites.

My experience with this has been that this sort of thing is normally 
done by installing a box that performs MiTM attacks by requiring a CA 
cert installed. Sounds like this is what they're installing.



Some commercial vendor s offer devices that support "SSL termination", 
which is basically just session hijacking via an administratively 
installed CA cert.

> Am I reading this correctly, or is there some less malign thing which
> they could be doing?  Should I just stop using their WiFi and rely on my
> own 4G connection?

I would stop using their WiFi.

Defensive measures against this sort of thing are out there - 
certificate pinning and HSTS in combination prevent downgrade attacks 
and provide the browser with enough foreknowledge to reject connections 
signed by malicious authorities.

Additionally, many of these places try DNS interception as well, and you 
can now have fun by checking DNS results against Google over an HTTPS 


Of most value with cert pinning, of course. There aren't (yet) many 
client implementations, but this one is a start:-


As a general point though, if anyone asks you to install their own CA 
cert they're definitely not acting on your best interest. In my opinion, 
I'd treat their network like poison and avoid at all costs.



More information about the GLLUG mailing list