main_icn_My_Vodafone main_icn_Search main_icn_Chevron_right main_icn_Chevron_down main_icn_Close main_icn_Menu social-facebook social-google-plus social-linkedin social-twitter social-youtube main_icn_Community_or_Foundation main_icn_Location main_icn_Network_signal

Pay monthly

Website security certificate coming from vodafone content control even though it's off.

2: Seeker

Support won't be able to answer you.

 

Most likey you've just ran into their MiTM attack against users on mobile. Not exactly sure why they do it, but support aren't even aware of how great an issue this is so unlikely you'll get any help here.

 

Maybe a Class Action would sort it.

View more options
Highlighted
2: Seeker

So. I've been with Vodafone less than a month, what are my rights here, I've read all 9 pages of this complete shambles and I knew something was very fishy when I saw the certificate in my browser. 

 

I see some people mention a one month cooling period?

 

I'll be honest I know you can change the Dns and I normally do  but I'm also locked into using one of their routers so who's to say they are not monitoring things there too. Basically I've lost all trust and I want to leave.

 

I don't want Vodafone to give me one of these standard BS messages about contacting support or sorry I want to leave. If someone can tell me my rights I'm leaving and I'm taking  Both my broadband connections with me! All traffic from this day forwards is going through my vpn

 

This is a Complete disgrace 

View more options
Moderator

Hi @slacksmeridian if you're within 30 days of your contract, you do have the right to leave. Granted it would be a shame for you to do so, but you can. You'd be charged for the amount of services that you've used up until your final cancellation date. 

 

If you wanted to cancel you'd need to call us on 191 from a Vodafone mobile or another UK number 03333 040 191.

View more options
2: Seeker

Too true mate! You can use Googles DNS servers but who knows, wether they are stil monitoring you

Maybe wireshark might give you an insite in to this

I have unfortunatly gone past my 30 days, but would ignore any charges from vodaphone anyway, as i do not believe that they make it clear in the terms that they would be inserting there own certicate inbetween the request and the reponse (Man in the middle), attack and stop us going to thousands of websites

Vodaphoe are crap

View more options
2: Seeker

I'm also having problems with this since switching to Vodafone.

 

It is unacceptable that Vodafone still pass data through content control even if you disable content control. That is false advertising, as I was told content control could be switched off.

 

It is also ethically wrong to do a man in the middle attack to insert their own security certificates in this way.

 

Why are they still doing this after users have complained for years about this?

 

View more options
1: Seeker

Hi all

 

I've been having this problem for a while. A few days ago I read through this entire thread so understand the problem. As Vodafone have not properly resolved this at all over the few years it appears to have been a problem, I have raised this with Ofcom, the communications regulator, as an issue. 

 

I will update here as this proceeds. 

View more options
3: Seeker

Would be good to know what the policy is with this breach of security.

 

It obviously only applies to certain sites.

 

Ofcom seems to be the only way to go because none of the mods here seem to know.

View more options
3: Seeker

I added the security workaround to Firefox by adding the vodafone certificate. Even that seems to be breaking. I get this error from the proxy server roughly 50% of the time which breaks Imgur files.

 

<<

ERROR The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://i.imgur.com/3SRSVYw.gifv

ICAP protocol error.

The system returned: [No Error]

This means that some aspect of the ICAP communication failed.

Some possible problems are:

  • The ICAP server is not reachable.

  • An Illegal response was received from the ICAP server.


Generated Fri, 14 Dec 2018 08:01:38 GMT by iwffilter.broadband.vodafone.co.uk (squid)

 

>>

 

Please can you stop intercepting websites?

View more options
3: Seeker
View more options
2: Seeker
That's because by adding an exception and taking their dodgy certificate you have accepted a man-in-the-middle attack. They are now routing your traffic through extra servers and software, which is bound to add complexity and further issues. There is practically never any reason to add an exception.
View more options
12: Established

I find this absolutely incredible. It's hard to believe that this is not a bigger story.

For what it's worth i suspect this is something to do with the IWF blacklisting some images on Imgur, and the fact that https obfuscates the URL. So the only way VF can think of to block the specific URLs is to intercept all the traffic to that domain, decrypt it, then re-encrypt it.

But telling people that it's OK to accept certificates that are not valid is dangerous.

I'm gald Vodafone aren't my ISP.

My brain training puzzle site - It's good go look

View more options
2: Seeker
> But telling people that it's OK to accept certificates that are not valid is dangerous. Ignoring all which is abhorrent about the fact this is going on. Teaching people to accept dodgy certificates is down right irresponsible and makes us all less secure.
View more options
3: Seeker

> I added the security workaround to Firefox by adding the vodafone certificate

 

Why would you do this?  You have just compromised your entire chain of trust, if I understand it correctly.  I'm not even sure if you can rectify this by simply removing the certificate, because you can't be sure others have been installed.  Someone with more knowledge can clarify please!

View more options
12: Established

@dm319 wrote:

> I added the security workaround to Firefox by adding the vodafone certificate

 

Why would you do this?  You have just compromised your entire chain of trust, if I understand it correctly.  I'm not even sure if you can rectify this by simply removing the certificate, because you can't be sure others have been installed.  Someone with more knowledge can clarify please!


I don't think it's possible to install a certificate directly from a website without user interaction. At least i can't think of a way to do it. But then the kind of person who is willing to do the VF suggested workaround probably OKs everything.
So i was trying to think of when i had heard of something like this before... Then it came to me, it was when lenovo bundled superfish with their new laptops. This was basically the same thing, they installed a certificate, which was ultimately exploited by hackers to compromise security.
I don't know what the answer is, but it's not this perhaps they should ask litterally any other isp.

My brain training puzzle site - It's good go look

View more options
2: Seeker
The correct work-around is to not use Vodafone DNS servers as they will give you the IP of their MiTM servers instead of the actual domain. One way of doing this is switching to Google DNS. 8.8.8.8 and 8.8.4.4 https://developers.google.com/speed/public-dns/ The more correct work-around is to start a class action lawsuit against Vodafone and if not the UK government.
View more options
3: Seeker

Hi flagpole,

 

Looking through my certificates I have loads of certificates under 'authorities', and a few under 'servers'.  I don't really remember ever adding these manually or agreeing to them - I thought they were added on the basis of a chain of trust?

 

Not a security expert, so I get a bit confused with the details.

View more options