The answer to "What’s going on here?":
It doesn't actually intercept your HTTPS traffic. Well, at least, not at this point. If you take a look at your URL bar:
It's clear that you're redirected to eset.com
, not intercepted! It exactly works the same way as commercial hotpots or firewalls redirecting you to a Captive Portal.
But, how does it intercept your connection? And how to tell if you're intercepted or not? The firewall intercepting your connection actually connects to destination site using the legit SSL certificate, then represents you the destination webpage (with the exception of using it's own certificate, instead the destination website's, like a website proxy). But, it's not that easy, because Certificate Authority of your browser should trust the certificate. If it's not using a trusted certificate already in your CA, then you get a security warning stating "Certificate is not valid" (and an option to add an exception). If it's using an already-valid certificate like the certificate for eset.com
, then it loads the webpage, but if you check the certificate, you see the certificate for ESET, instead for PayPal.
This method is also used in WAF (Web Application Firewall) HTTPS scanning and CyberGhost VPN's Content Blocker feature: "Remove Social Plugins like the Facebook Like button which could analyze your surfing behaviour" .