Pay monthly

So. I've been with Vodafone less than a month, what are my rights here, I've read all 9 pages of this complete shambles and I knew something was very fishy when I saw the certificate in my browser. 

I see some people mention a one month cooling period?

I'll be honest I know you can change the Dns and I normally do  but I'm also locked into using one of their routers so who's to say they are not monitoring things there too. Basically I've lost all trust and I want to leave.

I don't want Vodafone to give me one of these standard BS messages about contacting support or sorry I want to leave. If someone can tell me my rights I'm leaving and I'm taking  Both my broadband connections with me! All traffic from this day forwards is going through my vpn

This is a Complete disgrace 

Hi @slacksmeridian if you're within 30 days of your contract, you do have the right to leave. Granted it would be a shame for you to do so, but you can. You'd be charged for the amount of services that you've used up until your final cancellation date. 

If you wanted to cancel you'd need to call us on 191 from a Vodafone mobile or another UK number 03333 040 191.

Too true mate! You can use Googles DNS servers but who knows, wether they are stil monitoring you

Maybe wireshark might give you an insite in to this

I have unfortunatly gone past my 30 days, but would ignore any charges from vodaphone anyway, as i do not believe that they make it clear in the terms that they would be inserting there own certicate inbetween the request and the reponse (Man in the middle), attack and stop us going to thousands of websites

Vodaphoe are crap

I'm also having problems with this since switching to Vodafone.

It is unacceptable that Vodafone still pass data through content control even if you disable content control. That is false advertising, as I was told content control could be switched off.

It is also ethically wrong to do a man in the middle attack to insert their own security certificates in this way.

Why are they still doing this after users have complained for years about this?

Hi all

I've been having this problem for a while. A few days ago I read through this entire thread so understand the problem. As Vodafone have not properly resolved this at all over the few years it appears to have been a problem, I have raised this with Ofcom, the communications regulator, as an issue. 

I will update here as this proceeds. 

Would be good to know what the policy is with this breach of security.

It obviously only applies to certain sites.

Ofcom seems to be the only way to go because none of the mods here seem to know.

I added the security workaround to Firefox by adding the vodafone certificate. Even that seems to be breaking. I get this error from the proxy server roughly 50% of the time which breaks Imgur files.

<<

PS. Actual URL would obviously be

https://i.imgur.com/3SRSVYw.gifv

I find this absolutely incredible. It's hard to believe that this is not a bigger story.

For what it's worth i suspect this is something to do with the IWF blacklisting some images on Imgur, and the fact that https obfuscates the URL. So the only way VF can think of to block the specific URLs is to intercept all the traffic to that domain, decrypt it, then re-encrypt it.

But telling people that it's OK to accept certificates that are not valid is dangerous.

I'm gald Vodafone aren't my ISP.

> I added the security workaround to Firefox by adding the vodafone certificate

Why would you do this?  You have just compromised your entire chain of trust, if I understand it correctly.  I'm not even sure if you can rectify this by simply removing the certificate, because you can't be sure others have been installed.  Someone with more knowledge can clarify please!

---

@dm319 wrote:

> I added the security workaround to Firefox by adding the vodafone certificate

 

Why would you do this?  You have just compromised your entire chain of trust, if I understand it correctly.  I'm not even sure if you can rectify this by simply removing the certificate, because you can't be sure others have been installed.  Someone with more knowledge can clarify please!

---

Hi flagpole,

Looking through my certificates I have loads of certificates under 'authorities', and a few under 'servers'.  I don't really remember ever adding these manually or agreeing to them - I thought they were added on the basis of a chain of trust?

Not a security expert, so I get a bit confused with the details.

Just wanted to add that I was having issues with images on websites as well. Imgur was one, but also those hosted at i1.wp.com too. The error message seemed to indicate they were being filtered by Vodafone content control, even though I have that turned off. Solved by changing my router to use Google DNS servers, but it really is ridiculous that this hasn't been solved by Vodafone yet, and the suggestion to call support is ludicrous. I can just imagine trying to explain all this to someone on the end of a phone!

In case anyone technical from Vodafone is reading, though:

"i1.wp.com uses an invalid security certificate. The certificate is only valid for contentcontrol.vodafone.co.uk The certificate expired on Monday, December 10, 2018, 12:00 PM."

For what it's worth, you are correct about this having to do with poorly implemented IWF compliance.

As far as the rest of this thread goes, what I will say is this:

• As has been long established, using alternative DNS servers (e.g. Google ones) bypasses the problem, though you're unlikely to hear that from Vodafone customer services as this breaks content control functionality;  I strongly recommend that you do NOT follow instructions to make an exception for the bodged certificates because that is a terrible workaround rather than a solution.
  
  
• I'm still seeing claims that customers need to use the Vodafone router. Whilst that was originally the case for a few months after the product first launched, you are most certainly *not* forced to use the Vodafone router any longer and have not been for quite some time. Just ask for the PPPoE details if you want to use another Openreach-suitable router.

As a privacy advocate myself, this is a rare case where I can quite confidently remove my tinfoil hat and say that I do not believe Vodafone is "monitoring" anything meaningful using the Vodafone-branded Huawei routers beyond the usual error management stuff and so on. It is correct that accepting the MitM certificates discussed in this thread means that the associated traffic can be tracked, however using different DNS servers circumvents this completely and I have seen no evidence whatsoever that there is anything nefarious going on within the router. On the contrary, I do not believe for a moment that what Vodafone has in place is anywhere near sophisticated enough to achieve something like that.

Ultimately, the rather large problem this thread pertains to is not indicative of malicious intent; rather, it is a symptom of the company's ineptitude as a relatively new ISP (although you'd think they'd have this down after years of supplying business broadband, but never mind).

Thanks for your comment pipefan413.  I agree not to ascribe to malice what can be easier blamed on incompetence.  Apologies if that has caused a linguist to be sick.  It's also interesting to see what you have to say about the router.