hambier2d ago

When has it become normal practice to intercept (as in #MitM attack!) connections secured by a #letsencrypt certificate? That's outrageous!

For years and years I didn't have a single such issue with my selfhosted service, but recently I had the "pleasure" - twice! - to deal with such malicious networks. It's beginning to be a huge annoyance. (Some of my services are relevant for my work.)

Do we have to go back to paid certificates??

#selfhosting #cybersecurity #TLS

Show threadDaniel Lakeland2d ago
@hambier
How exactly did you think this was accomplished? I dont understand what youre claiming? are you saying the root certs are compromised?
Show threadhambier2d ago
@dlakelan I'm saying that the browser is throwing the typical scary warnings and when inspecting it's not the certificate that my server is actually presenting, but rather one issued by Fortinet or some other corporate security software that has been substituted for it.
Show threadDan2d ago
@hambier @dlakelan A TLS certificate is not a warranty that your traffic won't be intercepted, it's just a way to notice that this happened. A paid certificate will not change anything… if the inspecting transparent proxy wants to intercept the traffic it will also do the same when you are using any other certificate issuer. For whatever reason it wants to do it (or just maybe just a misconfiguration) …
Show threadhambier
@dan_j @dlakelan A paid certificate could potentially have an impact if the filtering rule specifically targets the issuer. And in one case I suspect that this was indeed the case. Only smaller/selfhosted sites were affected. Possibly by targeting letsencrypt. I can't say for sure though.
Mar 25 at 2:11pmWeb
Show threadDan2d ago
@hambier @dlakelan From my exp. automated (non-)inspection is done by several vendors in their default policy based on the reputation. So indeed selfhosted sites may be impacted more often by what you noticed. I have never seen filtering based on cert issuer (although of course technically possible). According to not verified sources LE has currently a market share well above some commercial CAs, not a geek-only thing for selfhosters anymore. In my opinion there’s no reason to change your cert.
Show threadDrScriptt2d ago
@dan_j @hambier @dlakelan I agree with everything that @dan_j said.
Show threadhambier2d ago
@drscriptt @dan_j @dlakelan Ok, that's good I guess. Thanks for pointing the marketshare out!