Welcome to Vodafone Community
i have noticed that trying to get to imgur.com results in a broken cert chain error reporting that certificate is not from the reported domain,
having looked at this i find that the certificate being pushed is from vodoafone: contentcontrol.vodafone.co.uk?
i have checked my account and i dont use this service.
My question is why is this happening? i find evidence that this has been a long running issue and is most concerning that from a post i have seen in 2016 - this is still an issue in 2018.
Is vodafone intercepting any other certificates without authorisation or even knowledge by the individuals?
I would like to be assured that this very suspect practice is not happening to masqerade as any other ligitimate services - what about my banks ssl certs? are you intercepting them too?
What ever evidence/resolution is gained from here will determine my moving my service to company that is not breaking encryption standards used in good faith by the services we use daily.
It's a yes and no answer really.
Vodafone are not intercepting certificates, what they are doing is, in effect, performing a 'Man in the Middle' attack by intercepting all traffic and routing it through their own 'sniffer server' that is content control, whether you turn it on or off it still goes through.
The reason you are getting invalid certificates is that the certificate Vodafone present you with is not the same as the website certifcate and it will never be the case as long as they operate in this way.
The report you are getting is exactly what should happen when the chain is broken, it's the same way that someone dodgy would perform a MITM attack.
Contrary to popular belief a certificate doesn't show who owns the website, that it's not been hacked or any other misheld conceptions.
The one and the only thing that a certificate provides is, you know your connection to the website is secure and encrypted, nothing else. That's why it's always important to actually read in full both the URL (up to the first '/') of the website you are visiting and the certificate it presents as they both should match exactly therby keeping the chain intact.
Vodafone's solution of creating an exception denies the only thing a certificate provides, you may as well use http.
As it's been going on for some time it seems like they have no intention of making any changes so if you want an ISP that doesn't spy on you, use someone else.