hambier2d ago

When has it become normal practice to intercept (as in #MitM attack!) connections secured by a #letsencrypt certificate? That's outrageous!

For years and years I didn't have a single such issue with my selfhosted service, but recently I had the "pleasure" - twice! - to deal with such malicious networks. It's beginning to be a huge annoyance. (Some of my services are relevant for my work.)

Do we have to go back to paid certificates??

#selfhosting #cybersecurity #TLS

Show threadDaniel Lakeland2d ago
@hambier
How exactly did you think this was accomplished? I dont understand what youre claiming? are you saying the root certs are compromised?
Show threadhambier2d ago
@dlakelan I'm saying that the browser is throwing the typical scary warnings and when inspecting it's not the certificate that my server is actually presenting, but rather one issued by Fortinet or some other corporate security software that has been substituted for it.
Show threadDaniel Lakeland2d ago
@hambier
Ah right. Corporations install their own certs on their client machines and then MiTM themselves so as to monitor everything employees do. its a shitty practice. best to stay away from those networks!
Show threadmkj2d ago
@dlakelan @hambier Right. This has nothing to do with using any particular CA oneself for one's services.
Show threadhambier2d ago

@mkj @dlakelan Well, in the first case I mentioned it is (IMO) an incompetent misconfiguration since it's a public(!) Wifi and hence the endpoints are not supposed to be equipped with additional CAs.

And in the second case (workplace) it turned out that some recent config update of the endpoint antivirus suite added this misbehaviour. (Certificate substituted, but no CA added for it...)

In both case Letsencrypt sites seem zo be particularly targeted. Other certs are not substituted.

Show threadhambier2d ago
@mkj @dlakelan LOL. I just noticed that even our very own (workplace) website and intra/extranet are affected. 😂
Show threadDaniel Lakeland

@hambier @mkj

is it related to some kind of captive portal? Maybe once you sign into that portal the problem goes away? The captive portal would probably need to be accessed via http

Mar 25 at 2:06pmWeb
Show threadhambier2d ago
@dlakelan @mkj It seems to have been a temporary misconfiguration/misbehaviour of the endpoint security. 🤷‍♂️
After a couple of hours and a few reboots it seems back to normal.