4

I recently installed a custom CA certificate from a trusted authority to access some blocked resources. Android popped up with a message "The network can be monitored"

This made me question what can be monitored and would it have any impact in other private networks I connect to.I also connect to a trusted wifi to access some resource. This network blocks most other services except for resources on their app.

If this gets confusing feel free to comment for more information.

Thanks

Dexter
  • 143
  • 4

2 Answers2

2

When you install the certificate, you permit the service running on your phone to use it in order to technically MitM your traffic - it can decrypt the traffic before you see it, edit it, send it to another server, inject scripts - anything and still make it seem valid yo your browser since it resigns the data with its own certificate that you manually installed. This is the warning that you get - Android is just warning you to be cautious when having the certificate installed since you can't trust what you see on your screen to be untampered with.

thel3l
  • 3,384
  • 11
  • 24
  • That's a case of worry since the device is private and I would not want to have any MitM on when accessing the resource with my private network. Is there any way we can monitor or restrict the usage of this certificate per network ? – Dexter Mar 30 '17 at 11:27
2

The issue here is, by installing a root certificate, you're telling your device that whoever holds the certificate's private key, and is capable of issuing further certificates, is worthy of trust in matters of whether any SSL-encrypted service is genuine. If you're sure you hold the only copy of the private key, presence of such a certificate does not immediately give other people any additional access. (However, stealing the private key from you may be cheaper for a sufficiently determined adversary than stealing one from a professional certification agency.) However, if you're installing a root certificate that comes from somebody else, such as an employer, you're giving them the ability to issue false certificates that your device will consider true, and that's where the risk of MitM and related monitoring comes from.

Note that the certificates apply to all SSL-encrypted services, not just websites. In particular, I would point out that SSL is nowadays widely used for email, including IMAPS/POPS access to remote mailboxes.

dig
  • 355
  • 1
  • 6
  • So the custom root certificate actually exposes the device to being monitored and traffic can be sniffed. Am i correct ? – Dexter Apr 03 '18 at 09:16