Mastodawn

When has it become normal practice to intercept (as in #MitM attack!) connections secured by a #letsencrypt certificate? That's outrageous!

For years and years I didn't have a single such issue with my selfhosted service, but recently I had the "pleasure" - twice! - to deal with such malicious networks. It's beginning to be a huge annoyance. (Some of my services are relevant for my work.)

Do we have to go back to paid certificates??

#selfhosting #cybersecurity #TLS

Daniel Lakeland 2d ago

@hambier
How exactly did you think this was accomplished? I dont understand what youre claiming? are you saying the root certs are compromised?

@dlakelan I'm saying that the browser is throwing the typical scary warnings and when inspecting it's not the certificate that my server is actually presenting, but rather one issued by Fortinet or some other corporate security software that has been substituted for it.

Daniel Lakeland 2d ago

@hambier
Ah right. Corporations install their own certs on their client machines and then MiTM themselves so as to monitor everything employees do. its a shitty practice. best to stay away from those networks!

@dlakelan @hambier Right. This has nothing to do with using any particular CA oneself for one's services.

@mkj @dlakelan Well, in the first case I mentioned it is (IMO) an incompetent misconfiguration since it's a public(!) Wifi and hence the endpoints are not supposed to be equipped with additional CAs.

And in the second case (workplace) it turned out that some recent config update of the endpoint antivirus suite added this misbehaviour. (Certificate substituted, but no CA added for it...)

In both case Letsencrypt sites seem zo be particularly targeted. Other certs are not substituted.

@mkj @dlakelan LOL. I just noticed that even our very own (workplace) website and intra/extranet are affected. 😂

Daniel Lakeland 2d ago

is it related to some kind of captive portal? Maybe once you sign into that portal the problem goes away? The captive portal would probably need to be accessed via http

@dlakelan @mkj It seems to have been a temporary misconfiguration/misbehaviour of the endpoint security. 🤷‍♂️
After a couple of hours and a few reboots it seems back to normal.

@hambier @dlakelan A TLS certificate is not a warranty that your traffic won't be intercepted, it's just a way to notice that this happened. A paid certificate will not change anything… if the inspecting transparent proxy wants to intercept the traffic it will also do the same when you are using any other certificate issuer. For whatever reason it wants to do it (or just maybe just a misconfiguration) …

@dan_j @dlakelan A paid certificate could potentially have an impact if the filtering rule specifically targets the issuer. And in one case I suspect that this was indeed the case. Only smaller/selfhosted sites were affected. Possibly by targeting letsencrypt. I can't say for sure though.

@hambier @dlakelan From my exp. automated (non-)inspection is done by several vendors in their default policy based on the reputation. So indeed selfhosted sites may be impacted more often by what you noticed. I have never seen filtering based on cert issuer (although of course technically possible). According to not verified sources LE has currently a market share well above some commercial CAs, not a geek-only thing for selfhosters anymore. In my opinion there’s no reason to change your cert.

DrScriptt 2d ago

@dan_j @hambier @dlakelan I agree with everything that @dan_j said.

@drscriptt @dan_j @dlakelan Ok, that's good I guess. Thanks for pointing the marketshare out!

Taasz/Woof 2d ago

@hambier @dlakelan I see what you mean, this isn't anything to do with letsencrypt at all, but instead whatever firewall/security appliance you are connecting through is doing MITM on SSL connections.

This is common with businesses and sometimes school networks too. Not much you can do about it other than use a different network.

@hambier I suspect you are connecting through a corporate network. Then the answer is "since always". Corporate networks use proxies and corporate PCs have the "midm" certificate forced on their configuration.
Where I work, it is well described in the terms of use we receive.

@manux The Contern sportshall public wifi likes to disagree ;-)
At work it seems to have been a misconfiguration indeed.