60

I'm connected over a café WiFi and received a warning from my mobile browser. When I looked further, it seems like the certificate is only valid for one day, which seems super suspicious.

browser warning certificate details

It says Imgur on it, but then why is it flagged up and why is it only valid for one day?

Here is the same certificate while using a friend's hotspot/data:

certificate details on data

I've not found another certificate that's affected.

Improve this question
10
  • 5
    I would inform the café. If they have this set up themselves, they should be told that they're undermining network security by doing so. If not, then it makes them aware someone is launching attacks in their café.
    – jpmc26
    Commented May 6, 2018 at 1:00
  • 39
    @jpmc26: If you tell the cafe that they are "undermining network security," they are going to look at you like you just arrived from Mars. Better to say something like "Hey, why does my internet never work at your cafe?" - because then they can figure out the problem on their own time without you having to go blue in the face explaining how the world works.
    – Kevin
    Commented May 6, 2018 at 2:19
  • 14
    @Kevin I take as a given that you would choose wording appropriate for the listener. "I get security warnings whenever I use your network. Do you guys have this configured yourselves? Because it's making your network insecure if so. If not, there might be a hacker in here trying to trick people. You should talk to your IT." Or whatever. You get the idea. Saying it "doesn't work" is just going to make them think something is wrong with your computer, since you can absolutely bypass these sorts of warnings and access the internet just fine.
    – jpmc26
    Commented May 6, 2018 at 2:23
  • 19
    @jpmc26: But if you start talking about security, their brain will turn off and they'll feed you some marketing line about how the MitM is "for your security." The trick is to play dumb. "I can't use your internet." -> "Oh, let me see your device." -> "Well, the internet always works at [competitor]. Why can't you make it work like theirs does?" -> etc.
    – Kevin
    Commented May 6, 2018 at 2:32
  • 31
    @Kevin A cashier or manager at a café isn't going to know what in the heck you're talking about anyway (unless they're working part time while getting a degree in some IT field). The goal is to get them to complain to their IT people who set this nonsense up in the first place. "Your network is insecure," is hopefully scary enough to make them do so. If not, there's nothing you can do anyway.
    – jpmc26
    Commented May 6, 2018 at 2:33

3 Answers 3

Reset to default
87

This isn't one of Imgur certificates.

Certificate Transparency logs

Certificate Authorities must report all certificates they generate to transparency logs, which are public databases. This allows user-agents, like Chrome, to check that this certificate can be audited by the website's owner.

According to the following certificate transparency search tools, this certificate was not logged, and such a short lifetime is not usual for Imgur:

DNS Filter

According to the error messages, this certificate hasn't been issued by a valid certificate authority, so you can't trust the issuer.

The issuer claims to be "DNSFilter".

DNSFilter is a proxy used to filter requests, and it also tries to proxy HTTPS requests, so it generates a self-signed certificate for every domain.

Since you can't trust the issuer, you can't be sure that the certificate comes from the real DNSFilter product. Anyone could be impersonating it.

It's safe to assume that this is not a legit certificate for Imgur.

The exact reason for such a short lifetime for the certificate is unknown.

Improve this answer
15
  • 29
    @PeterHarmann: DNSFilter is an attacker trying to confuse the user.
    – R.. GitHub STOP HELPING ICE
    Commented May 6, 2018 at 13:23
  • 13
    @PeterHarmann: If they login to imgur, it's stealing their credentials to the site (at least an auth token, maybe login/password if they're logged out and have to log back in) and potentially handling them in an insecure way where a third party may easily obtain access. It's also enabling yet another third party to just MITM the connection on top of their MITM and steal the credentials directly. So it is trying to confuse the user into doing something that puts them at significant risk.
    – R.. GitHub STOP HELPING ICE
    Commented May 6, 2018 at 13:31
  • 2
    @PeterHarmann: The "It's also..." part, yes, it's what you said in your answer. But the first half and the "So it is..." are all establishing further reasons why this is an attack and an attempt to confuse the user.
    – R.. GitHub STOP HELPING ICE
    Commented May 6, 2018 at 13:35
  • 5
    @PeterHarmann: accorded to this post, all certificates must be logged since April 2018. You can also check invalid-expected-sct.badssl.com in Chrome to check that Chrome now requires all certificates to be logged.
    – Benoit Esnard
    Commented May 6, 2018 at 15:12
  • 4
    @user31925 it's also possible they're using their own certs to enact a captive portal. They can't issue a redirect on an https request without intercepting it, so rather than either freely pass https traffic (offering a convenient bypass of the CP) or block it entirely until the portal validation has occurred, it seems they may have taken the tack of intercepting the connection to try to issue a CP redirect. Don't know if this is the case, but for a café this seems plausible. "Never attribute to malice that which can be adequately explained by stupidity, but don't rule out malice"
    – Doktor J
    Commented May 7, 2018 at 20:57
66

This is apparently an MITM attack. Someone is trying to intercept the connection.

Whether it is a malicious third-party attacker or the cafe trying to filter content/insert advertisements (relatively harmless) is impossible to say for sure. While the certificate claims to be issued by DNS Filter, it is impossible to say, whether it really was. Anyone can create a certificate with the name claiming to be "DNS Filter", and the certificate is not signed by anyone, so you can't trust what it says. It may have been really created by DNS Filter, but it also could be a malicious attacker trying to gain trust by using a recognizable name. You should NOT assume it was really created by DNS Filter.

Either way, that is certainly not a genuine imgur certificate.

Improve this answer
13
  • 13
    @ruakh this is highly malicious because it totally breaks all security provided by HTTPS. The certificate between the "DNS filter" box and the target site is not passed through to the client, enabling the possibility of a 2nd MITM after filter box, with no way for the client to detect this, even if you decide that the box itself is not explicitly malicious.
    – alex.forencich
    Commented May 6, 2018 at 4:32
  • 6
    @alex.forencich: Please keep Hanlon's razor in mind. Even if something has very negative consequences, that doesn't necessarily mean it's very malicious in intent.
    – ruakh
    Commented May 6, 2018 at 6:26
  • 25
    MITM is always malicious.
    – R.. GitHub STOP HELPING ICE
    Commented May 6, 2018 at 13:24
  • 4
    @R.. That is arguably not true, what about corporate firewalls that do MITM to filter malware and phishing and also prevent data theft? It would be hard to argue these are malicious...
    – Peter Harmann
    Commented May 6, 2018 at 13:30
  • 3
    @PeterHarmann: They are malicious unless employees are explicitly forbidden from doing anything personal from work machines (e.g. logging into personal email), and unless such a rule is actively enforced, since employees generally don't and can't be expected to understand the threats MITM entails to their privacy and safety.
    – R.. GitHub STOP HELPING ICE
    Commented May 6, 2018 at 13:34
28

Is this certificate valid

No, it is generated on the fly by DNSFilter or an attacker pretending to be DNSFilter performing an MITM attack.

Why is this certificate being presented

DNSFilter allows monitoring network usage, and blocking sites, but when it blocks a site it wants to show an error message, so if the traffic is encrypted it needs to be able to decrypt it, which it can only do by either:

  • Having the original certificate
  • Making a new certificate

Why is there a warning

As the new certificate is not trusted by your machine you get a warning. This is true in both cases, an attacker CA would be untrusted, but so would the DNSFilter CA.

Why is the certificate only valid for a day

There are many reasons this could be, but a major one is trying to reduce the risk each individual certificate poses if it is leaked. The idea is that as long as the root cert is kept safe, then even if a site cert leaks, it is only trusted by devices that trust the CA.

As the certificates are generated on the fly there is no issue with the regular re-issuance that this requires.

Is SSL interception a good idea?

SSL interception is generally a very bad idea, for many reasons:

  • Sensitive data may be logged by the intercepting device
  • The keys may the same for all devices, so anyone can intercept with a copy of the master key
  • The key may be gained from the device, leading to anyone being able to intercept
  • EV certificates are downgraded to standard certificates
  • Applications using pinning will not work with the changed certificate

There are some cases where it is acceptable, when absolutely necessary, but these do not apply for public WiFi, where you do not really trust the hotspot operator.

Improve this answer
5
  • 2
    Going by the DNSFilter website, it is possible that they do not normally proxy HTTPS connections but that the coffee shop has configured it to block imgur and tries to show an error page.
    – Carsten S
    Commented May 6, 2018 at 17:28
  • @CarstenS Yeah, that's most likely, since OP said that he didn't have this issue with other websites.
    – FINDarkside
    Commented May 7, 2018 at 11:52
  • 1
    You cannot assert that "it is generated on the fly by DNSFilter" from the information provided. It might as well be an actual MITM attacking the users of that cafe.
    – jjmontes
    Commented May 7, 2018 at 15:34
  • Added about the possibility of being an MITM attack
    – jrtapsell
    Commented May 7, 2018 at 16:17
  • Also ammended, it seems they use the VIP way of enforcing safe search
    – jrtapsell
    Commented May 7, 2018 at 16:22

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .