main_icn_My_Vodafone main_icn_Search main_icn_Chevron_right main_icn_Chevron_down main_icn_Close main_icn_Menu social-facebook social-google-plus social-linkedin social-twitter social-youtube main_icn_Community_or_Foundation main_icn_Location main_icn_Network_signal

Pay monthly

Website security certificate coming from vodafone content control even though it's off.

2: Seeker

Support won't be able to answer you.

 

Most likey you've just ran into their MiTM attack against users on mobile. Not exactly sure why they do it, but support aren't even aware of how great an issue this is so unlikely you'll get any help here.

 

Maybe a Class Action would sort it.

View more options
2: Seeker

So. I've been with Vodafone less than a month, what are my rights here, I've read all 9 pages of this complete shambles and I knew something was very fishy when I saw the certificate in my browser. 

 

I see some people mention a one month cooling period?

 

I'll be honest I know you can change the Dns and I normally do  but I'm also locked into using one of their routers so who's to say they are not monitoring things there too. Basically I've lost all trust and I want to leave.

 

I don't want Vodafone to give me one of these standard BS messages about contacting support or sorry I want to leave. If someone can tell me my rights I'm leaving and I'm taking  Both my broadband connections with me! All traffic from this day forwards is going through my vpn

 

This is a Complete disgrace 

View more options
Moderator

Hi @slacksmeridian if you're within 30 days of your contract, you do have the right to leave. Granted it would be a shame for you to do so, but you can. You'd be charged for the amount of services that you've used up until your final cancellation date. 

 

If you wanted to cancel you'd need to call us on 191 from a Vodafone mobile or another UK number 03333 040 191.

View more options
2: Seeker

Too true mate! You can use Googles DNS servers but who knows, wether they are stil monitoring you

Maybe wireshark might give you an insite in to this

I have unfortunatly gone past my 30 days, but would ignore any charges from vodaphone anyway, as i do not believe that they make it clear in the terms that they would be inserting there own certicate inbetween the request and the reponse (Man in the middle), attack and stop us going to thousands of websites

Vodaphoe are crap

View more options
2: Seeker

I'm also having problems with this since switching to Vodafone.

 

It is unacceptable that Vodafone still pass data through content control even if you disable content control. That is false advertising, as I was told content control could be switched off.

 

It is also ethically wrong to do a man in the middle attack to insert their own security certificates in this way.

 

Why are they still doing this after users have complained for years about this?

 

View more options
1: Seeker

Hi all

 

I've been having this problem for a while. A few days ago I read through this entire thread so understand the problem. As Vodafone have not properly resolved this at all over the few years it appears to have been a problem, I have raised this with Ofcom, the communications regulator, as an issue. 

 

I will update here as this proceeds. 

View more options
3: Seeker

Would be good to know what the policy is with this breach of security.

 

It obviously only applies to certain sites.

 

Ofcom seems to be the only way to go because none of the mods here seem to know.

View more options
Highlighted
3: Seeker

I added the security workaround to Firefox by adding the vodafone certificate. Even that seems to be breaking. I get this error from the proxy server roughly 50% of the time which breaks Imgur files.

 

<<

ERROR The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://i.imgur.com/3SRSVYw.gifv

ICAP protocol error.

The system returned: [No Error]

This means that some aspect of the ICAP communication failed.

Some possible problems are:

  • The ICAP server is not reachable.

  • An Illegal response was received from the ICAP server.


Generated Fri, 14 Dec 2018 08:01:38 GMT by iwffilter.broadband.vodafone.co.uk (squid)

 

>>

 

Please can you stop intercepting websites?

View more options
3: Seeker
View more options
2: Seeker
That's because by adding an exception and taking their dodgy certificate you have accepted a man-in-the-middle attack. They are now routing your traffic through extra servers and software, which is bound to add complexity and further issues. There is practically never any reason to add an exception.
View more options
12: Established

I find this absolutely incredible. It's hard to believe that this is not a bigger story.

For what it's worth i suspect this is something to do with the IWF blacklisting some images on Imgur, and the fact that https obfuscates the URL. So the only way VF can think of to block the specific URLs is to intercept all the traffic to that domain, decrypt it, then re-encrypt it.

But telling people that it's OK to accept certificates that are not valid is dangerous.

I'm gald Vodafone aren't my ISP.

My brain training puzzle site - It's good go look

View more options
2: Seeker
> But telling people that it's OK to accept certificates that are not valid is dangerous. Ignoring all which is abhorrent about the fact this is going on. Teaching people to accept dodgy certificates is down right irresponsible and makes us all less secure.
View more options
3: Seeker

> I added the security workaround to Firefox by adding the vodafone certificate

 

Why would you do this?  You have just compromised your entire chain of trust, if I understand it correctly.  I'm not even sure if you can rectify this by simply removing the certificate, because you can't be sure others have been installed.  Someone with more knowledge can clarify please!

View more options
12: Established

@dm319 wrote:

> I added the security workaround to Firefox by adding the vodafone certificate

 

Why would you do this?  You have just compromised your entire chain of trust, if I understand it correctly.  I'm not even sure if you can rectify this by simply removing the certificate, because you can't be sure others have been installed.  Someone with more knowledge can clarify please!


I don't think it's possible to install a certificate directly from a website without user interaction. At least i can't think of a way to do it. But then the kind of person who is willing to do the VF suggested workaround probably OKs everything.
So i was trying to think of when i had heard of something like this before... Then it came to me, it was when lenovo bundled superfish with their new laptops. This was basically the same thing, they installed a certificate, which was ultimately exploited by hackers to compromise security.
I don't know what the answer is, but it's not this perhaps they should ask litterally any other isp.

My brain training puzzle site - It's good go look

View more options
2: Seeker
The correct work-around is to not use Vodafone DNS servers as they will give you the IP of their MiTM servers instead of the actual domain. One way of doing this is switching to Google DNS. 8.8.8.8 and 8.8.4.4 https://developers.google.com/speed/public-dns/ The more correct work-around is to start a class action lawsuit against Vodafone and if not the UK government.
View more options
3: Seeker

Hi flagpole,

 

Looking through my certificates I have loads of certificates under 'authorities', and a few under 'servers'.  I don't really remember ever adding these manually or agreeing to them - I thought they were added on the basis of a chain of trust?

 

Not a security expert, so I get a bit confused with the details.

View more options
2: Seeker

Just wanted to add that I was having issues with images on websites as well. Imgur was one, but also those hosted at i1.wp.com too. The error message seemed to indicate they were being filtered by Vodafone content control, even though I have that turned off. Solved by changing my router to use Google DNS servers, but it really is ridiculous that this hasn't been solved by Vodafone yet, and the suggestion to call support is ludicrous. I can just imagine trying to explain all this to someone on the end of a phone!

 

In case anyone technical from Vodafone is reading, though:

 

"i1.wp.com uses an invalid security certificate. The certificate is only valid for contentcontrol.vodafone.co.uk The certificate expired on Monday, December 10, 2018, 12:00 PM."

View more options
2: Seeker

For what it's worth, you are correct about this having to do with poorly implemented IWF compliance.

 

As far as the rest of this thread goes, what I will say is this:

 

  • As has been long established, using alternative DNS servers (e.g. Google ones) bypasses the problem, though you're unlikely to hear that from Vodafone customer services as this breaks content control functionality;  I strongly recommend that you do NOT follow instructions to make an exception for the bodged certificates because that is a terrible workaround rather than a solution.

  • I'm still seeing claims that customers need to use the Vodafone router. Whilst that was originally the case for a few months after the product first launched, you are most certainly *not* forced to use the Vodafone router any longer and have not been for quite some time. Just ask for the PPPoE details if you want to use another Openreach-suitable router.

 

As a privacy advocate myself, this is a rare case where I can quite confidently remove my tinfoil hat and say that I do not believe Vodafone is "monitoring" anything meaningful using the Vodafone-branded Huawei routers beyond the usual error management stuff and so on. It is correct that accepting the MitM certificates discussed in this thread means that the associated traffic can be tracked, however using different DNS servers circumvents this completely and I have seen no evidence whatsoever that there is anything nefarious going on within the router. On the contrary, I do not believe for a moment that what Vodafone has in place is anywhere near sophisticated enough to achieve something like that.

 

Ultimately, the rather large problem this thread pertains to is not indicative of malicious intent; rather, it is a symptom of the company's ineptitude as a relatively new ISP (although you'd think they'd have this down after years of supplying business broadband, but never mind).

View more options
3: Seeker

Thanks for your comment pipefan413.  I agree not to ascribe to malice what can be easier blamed on incompetence.  Apologies if that has caused a linguist to be sick.  It's also interesting to see what you have to say about the router.

View more options