main_icn_My_Vodafone main_icn_Search main_icn_Chevron_right main_icn_Chevron_down main_icn_Close main_icn_Menu social-facebook social-google-plus social-linkedin social-twitter social-youtube main_icn_Community_or_Foundation main_icn_Location main_icn_Network_signal
Menu Toggle
Announcements
Keeping the UK connected is our main priority. Find out how we're doing thishere.
Close announcement

Other broadband queries

Why are ssl certs being broken by vodafines content control???

Highlighted
3: Seeker

i have noticed that trying to get to imgur.com results in a broken cert chain error reporting that certificate is not from the reported domain, 

 

having looked at this i find that the certificate being pushed is from vodoafone: contentcontrol.vodafone.co.uk?

i have checked my account and i dont use this service.

My question is why is this happening? i find evidence that this has been a long running issue and is most concerning that from a post i have seen in 2016 - this is still an issue in 2018.

 

Is vodafone intercepting any other certificates without authorisation or even knowledge by the individuals?

I would like to be assured that this very suspect practice is not happening to masqerade as any other ligitimate services - what about my banks ssl certs? are you intercepting them too?

 

What ever evidence/resolution is gained from here will determine my moving my service to company that is not breaking encryption standards used in good faith by the services we use daily.

View more options
1 REPLY 1
Highlighted
12: Established

It's a yes and no answer really.

Vodafone are not intercepting certificates, what they are doing is, in effect, performing a 'Man in the Middle' attack by intercepting all traffic and routing it through their own 'sniffer server' that is content control, whether you turn it on or off it still goes through.

The reason you are getting invalid certificates is that the certificate Vodafone present you with is not the same as the website certifcate and it will never be the case as long as they operate in this way.

The report you are getting is exactly what should happen when the chain is broken, it's the same way that someone dodgy would perform a MITM attack.

 

Contrary to popular belief a certificate doesn't show who owns the website, that it's not been hacked or any other misheld conceptions.

The one and the only thing that a certificate provides is, you know your connection to the website is secure and encrypted, nothing else.  That's why it's always important to actually read in full both the URL (up to the first '/') of the website you are visiting and the certificate it presents as they both should match exactly therby keeping the chain intact.  

Vodafone's solution of creating an exception denies the only thing a certificate provides, you may as well use http. 

As it's been going on for some time it seems like they have no intention of making any changes so if you want an ISP that doesn't spy on you, use someone else.

 

View more options