I can't access websites that use HTTPS, instead getting the message "your connection is not private"!

Question

I found myself suddenly unable to access websites that use HTTPS, so I contacted my service provider, and they asked me to install a certificate in the Trusted Root Certificate Authorities store. But something isn't right: installing a certificate on every device connected to the same network just to be able to access websites that use HTTPS is just weird! How can I be sure that this certificate is issued by a trusted CA?

When I tried to install it, I got the following message:

Warning: If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click "Yes" you acknowledge this risk.

Here is the certificate information:

• Version: V3
• Serial num: 00 f8 ab 36 f3 84 31 05 39
• Signature algo: sha1RSA
• Signature hash algo: sha1
• Issuer: ISSA, Internet, Internet, Beirut, Beirut, LB
• Subject: ISSA, Internet, Internet, Beirut, Beirut, LB
• Public Key: RSA (1024 bits)

It's valid until 2019.

And by the way, I'm in Lebanon.

I contacted my ISP again and they told me that they're using some kind of an accelerator to enhance the speed, and it needs authentication, so they chose to use a certificate instead of making the user enter a username and password every time they wants to access websites that use HTTPS. And they suggested that if I'm not okay with that, they would put me in a new pool. So what should I do?

Answer 1

Whilst I don't know the specifics of your ISP, I would say that it's likely that what they're doing here is intercepting all traffic you send over the Internet. In order to do that (without you getting error messages whenever you visit an HTTPS encrypted site), they would need to install a root certificate, which is what you mention in your post.

They need to do this as what this kind of interception usually entails is creating their own certificate for each site you visit. so for example if you visit https://www.amazon.com they need to have a certificate that your browser considers valid for that connection (which is one issued by a trusted Certificate Authority, either one provided with the browser or one you manually install).

From your perspective, the problem here is it means that they can see all your Internet traffic including usernames/passwords/credit card details. So if they want to, they can look at that information. Also if they have a security breach it's possible that other people might get access to that information. In addition, they may also gain access to any account that you access over this Internet connection (e.g., email accounts). Finally, installing this root certificate allows them to modify your Internet traffic without detection.

What I would recommend is that you query with them exactly why they need to see the details of your encrypted traffic (e.g., is this a legal requirement for your country) and if you're not 100% satisfied with the response, get a new ISP. Another possibility is to use a VPN and tunnel all your traffic through the VPN. If you are not happy with your ISP gaining this access to your HTTPS connections, do not install the root certificate they provided you.

Answer 2

This is a request to surrender all your privacy and security to them.

---

It is a very simple technical issue - they have blocked encrypted and secure HTTPS connections. "Reenabling" it by installing their certificate will now allow you to use encrypted and "secure" connections, but it will give your ISP full access to view your online data, modify anything you download (including inserting backdoors or malware in any downloaded software), modify or filter anything you upload, and gain all the online access credentials (passwords, cookies, other security tokens) that you use through HTTPS.

This is not simply a potential theoretical risk. In fact, you should expect that they are already doing some or all of this - it's the only practical reason why they put the effort to block and require their certificate in the first place.

Only if you desire to have this connection despite the aforementioned issues, then you can accept their certificate. A good paid VPN can be a solution, however, it's possible that they will be blocking VPNs as well; it may be the case that you have to choose between a monitored and insecure connection controlled by someone else and no connection at all.

Answer 3

In effect your ISP is reading all your mail.

Think of your internet connection as a series of letters being sent over pony express. The error you are seeing is your browser complaining that your mail has been opened by someone and resealed with the wrong wax seal rather than the expected, for example Google's, wax seal.

What your ISP is telling you to do is retrain your browser to treat the ISP seal as being more trust worthy than Google's seal.

The error is correct. It is telling you that your ISP is reading your mail. Don't do what they say. Change your ISP now.

Answer 4

I agree this sounds very dodgy, but I might have an idea that might help, I can only assume you are using your ISP DNS servers, and I assume you are using a router. Why not just change the IP address to your external DNS server to something like Googles open DNS servers 8.8.8.8 and 8.8.4.4. If that stops the error message and assuming you have NOT installed the ISP certificate, then you know the problem is solved. It is very likely that is how they are controlling traffic, many people do not know how to manually change their DNS servers and everyone needs to use DNS to go to a website, so this idea might help.

Additionally you could go with a Private VPN service like https://www.privateinternetaccess.com/, I find their data center in Texas is great, but depending on where you are, you might like a different one, and they provide end to end encryption so that too might help. All that said, going to a new ISP is the best choice, the only way the ISP is going to learn, will be when they see their customers leaving for the competition.

Good Luck

Answer 5

I have done some research on the Lebanese Internet Regulation Act. Basically, your minister of information, Walid Al-Daouq, proposed a law in 2012 (which didn't make it) that would have put heavy stress on the freedom of speech in Lebanon.

The law has since been stopped, but it's possible that your ISP has come under pressure from the government to monitor Internet traffic on a national scale in order to find people that are threatening national security. Lebanese law has censorship for matters that affect national security, so it's not a stretch to assume that they'll ask ISPs to monitor all forms of traffice.

You might also have heard of Mia Khalifa. She's recently been voted the "Number 1 porn star", and since she's from Lebanon, the government is not happy with that. Her popularity might have something to do with the recent rush for monitoring.

Answer 6

If they have done this, depending on your region, this may be looked at as a human rights violation under "right to private life".

The error you're receiving is actually a common problem.

Whoever you spoke to from your ISP may not know what you're talking about and simply fobbed you off asking you to install certificates.

Since getting this error, have you tried looking at your clock on your computer? If it's not set correctly, the time on certificates (which are set according to the certificate authority's time) will not be the same on your machines, therefore prompting you with a message such as, "your traffic is not secure".

Don’t simply allow the certificates as this defeats the purpose, and if you don’t know what you're doing, you can make mistakes which will cost you!

It is the job of a certificate authority, such as Verisign, to verify it and all you need to do is to make sure your systems are not compromised and you set your clock.