Why is this certificate for Imgur only valid for one day?

Question

I'm connected over a café WiFi and received a warning from my mobile browser. When I looked further, it seems like the certificate is only valid for one day, which seems super suspicious.

It says Imgur on it, but then why is it flagged up and why is it only valid for one day?

Here is the same certificate while using a friend's hotspot/data:

I've not found another certificate that's affected.

I would inform the café. If they have this set up themselves, they should be told that they're undermining network security by doing so. If not, then it makes them aware someone is launching attacks in their café. — jpmc26, May 06 '18 at 01:00
@jpmc26: If you tell the cafe that they are "undermining network security," they are going to look at you like you just arrived from Mars. Better to say something like "Hey, why does my internet never work at your cafe?" - because then they can figure out the problem on their own time without you having to go blue in the face explaining how the world works. — Kevin, May 06 '18 at 02:19
@Kevin I take as a given that you would choose wording appropriate for the listener. "I get security warnings whenever I use your network. Do you guys have this configured yourselves? Because it's making your network insecure if so. If not, there might be a hacker in here trying to trick people. You should talk to your IT." Or whatever. You get the idea. Saying it "doesn't work" is just going to make them think something is wrong with your computer, since you can absolutely bypass these sorts of warnings and access the internet just fine. — jpmc26, May 06 '18 at 02:23
@jpmc26: But if you start talking about security, their brain will turn off and they'll feed you some marketing line about how the MitM is "for your security." The trick is to play dumb. "I can't use your internet." -> "Oh, let me see your device." -> "Well, the internet always works at [competitor]. Why can't you make it work like theirs does?" -> etc. — Kevin, May 06 '18 at 02:32
@Kevin A cashier or manager at a café isn't going to know what in the heck you're talking about anyway (unless they're working part time while getting a degree in some IT field). The goal is to get them to complain to their IT people who set this nonsense up in the first place. "Your network is insecure," is hopefully scary enough to make them do so. If not, there's nothing you can do anyway. — jpmc26, May 06 '18 at 02:33
@jpmc26: Yes, that's my point. "A customer told me the internet is broken" -> call IT. "A customer told me that our network is insecure" -> tell Facebook how rude customers are these days and ignore the problem. — Kevin, May 06 '18 at 02:36
Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/77104/discussion-between-jpmc26-and-kevin). — jpmc26, May 06 '18 at 02:37
Possible duplicate of [Is Starbucks spoofing me?](https://security.stackexchange.com/questions/184586/is-starbucks-spoofing-me) — Jon, May 06 '18 at 16:29
@RuiFRibeiro: Of course, if the traffic is aggressively filtered like this, chanches are VPN traffic will be blocked , too. — sleske, May 08 '18 at 07:34

Benoit Esnard · Accepted Answer · 2018-05-08T12:32:55.360

87

This isn't one of Imgur certificates.

Certificate Transparency logs

Certificate Authorities must report all certificates they generate to transparency logs, which are public databases. This allows user-agents, like Chrome, to check that this certificate can be audited by the website's owner.

According to the following certificate transparency search tools, this certificate was not logged, and such a short lifetime is not usual for Imgur:

DNS Filter

According to the error messages, this certificate hasn't been issued by a valid certificate authority, so you can't trust the issuer.

The issuer claims to be "DNSFilter".

DNSFilter is a proxy used to filter requests, and it also tries to proxy HTTPS requests, so it generates a self-signed certificate for every domain.

Since you can't trust the issuer, you can't be sure that the certificate comes from the real DNSFilter product. Anyone could be impersonating it.

It's safe to assume that this is not a legit certificate for Imgur.

The exact reason for such a short lifetime for the certificate is unknown.

edited May 08 '18 at 12:32

answered May 05 '18 at 15:55

Benoit Esnard

13,942
7
65
65

They don't have to report the certificates, at least not yet. Only EV certificates must be included in CT logs. There is also no way to validate whether the certificate was indeed created by DNS Filter, or whether it is an attacker trying to confuse the user into trusting the certificate despite it not being valid. – Peter Harmann May 06 '18 at 00:46
29

@PeterHarmann: DNSFilter **is an attacker trying to confuse the user**. – R.. GitHub STOP HELPING ICE May 06 '18 at 13:23
@R.. Okey but DNSFilter is not inserting malware or stealing banking information. So while it is an attacker per-se, it is an attacker many people may be OK with. – Peter Harmann May 06 '18 at 13:29
13

@PeterHarmann: If they login to imgur, it's stealing their credentials to the site (at least an auth token, maybe login/password if they're logged out and have to log back in) and potentially handling them in an insecure way where a third party may easily obtain access. It's also enabling yet another third party to just MITM the connection on top of their MITM and steal the credentials directly. So it is **trying to confuse the user** into doing something that puts them at significant risk. – R.. GitHub STOP HELPING ICE May 06 '18 at 13:31
@R.. Is that not what I wrote in my answer? That this can't be distinguished from a different attacker? Yes, this is certainly not a good thing and should not be trusted, but the intent is not malicious, even if the execution is horrendous. – Peter Harmann May 06 '18 at 13:34
2

@PeterHarmann: The "It's also..." part, yes, it's what you said in your answer. But the first half and the "So it is..." are all establishing further reasons why this is an attack and an attempt to confuse the user. – R.. GitHub STOP HELPING ICE May 06 '18 at 13:35
5

@PeterHarmann: accorded to [this post](https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/wHILiYf31DE), all certificates must be logged since April 2018. You can also check https://invalid-expected-sct.badssl.com/ in Chrome to check that Chrome now requires all certificates to be logged. – Benoit Esnard May 06 '18 at 15:12
@PeterHarmann: also, thanks for pointing out the issuer impersonation, I added it in the answer. – Benoit Esnard May 06 '18 at 15:13
1

@BenoitEsnard welp. I have no idea how I missed that. Thanks for correction. – Peter Harmann May 06 '18 at 15:15
2

The reason the certificate has a short lifetime is to mitigate one of the security risks of MITMing users, namely that the MITM certs' private key is generally more vulnerable. This way if the MITM's private key is stolen it's only good for one day. – President James K. Polk May 06 '18 at 15:20
1

To me it feels like the AP in the cafe might be run by a third party hotspot company and they are using their own certs to be able to look into encrypted traffic for... whatever reasons. It can happen in hotels as well. I would recommend him a good VPN provider [privacytools.io] – user31925 May 06 '18 at 18:43
I'd like to point out, that I had a case where one of my certificates did not show up on crt,sh for 24 hours after it was issued. For recently issued certificates crt.sh is unreliable source. – Andrew Savinykh May 07 '18 at 02:13
4

@user31925 it's also possible they're using their own certs to enact a captive portal. They can't issue a redirect on an https request without intercepting it, so rather than either freely pass https traffic (offering a convenient bypass of the CP) or block it entirely until the portal validation has occurred, it seems they may have taken the tack of intercepting the connection to try to issue a CP redirect. Don't *know* if this is the case, but for a café this seems plausible. "Never attribute to malice that which can be adequately explained by stupidity, but don't rule out malice" – Doktor J May 07 '18 at 20:57
2

@DoktorJ: Yes, apparently that is the reason. [DNSFilter's docs](https://help.dnsfilter.com/article/101-deploy-ssl-certificate-using-active-directory) say: "Installation of the DNSFilter SSL Root certificate is required in order to access block pages via HTTPS. Without the certificate installed, a certificate error will display instead of a block page." – sleske May 08 '18 at 07:41
@IMSoP: I've reworded it, based on your comment! Thanks. – Benoit Esnard May 08 '18 at 12:36

Peter Harmann · Answer 2 · 2018-05-06T02:08:16.423

66

This is apparently an MITM attack. Someone is trying to intercept the connection.

Whether it is a malicious third-party attacker or the cafe trying to filter content/insert advertisements (relatively harmless) is impossible to say for sure. While the certificate claims to be issued by DNS Filter, it is impossible to say, whether it really was. Anyone can create a certificate with the name claiming to be "DNS Filter", and the certificate is not signed by anyone, so you can't trust what it says. It may have been really created by DNS Filter, but it also could be a malicious attacker trying to gain trust by using a recognizable name. You should NOT assume it was really created by DNS Filter.

Either way, that is certainly not a genuine imgur certificate.

edited May 06 '18 at 02:08

answered May 05 '18 at 15:43

Peter Harmann

7,728
5
20
28

2

Re: "Whether it is a malicious one or the cafe trying to filter content/insert advertisements is impossible to say for sure": Obviously some things are (much) worse than others, but if the café is intercepting third-party content in order to filter it or insert advertisements, I'd consider that at least *somewhat* malicious: they must realize that neither the customer nor the site is expecting them to do this, and may not even realize after-the-fact that it's happened. – ruakh May 06 '18 at 02:05
@ruakh true. But I did not know how else to put it. It is a bit different for the cafe to insert ads in exchange for the wifi or block access to some sites they don't like and an attacker stealing your passwords. – Peter Harmann May 06 '18 at 02:07
13

@ruakh this is highly malicious because it totally breaks all security provided by HTTPS. The certificate between the "DNS filter" box and the target site is not passed through to the client, enabling the possibility of a 2nd MITM after filter box, with no way for the client to detect this, even if you decide that the box itself is not explicitly malicious. – alex.forencich May 06 '18 at 04:32
6

@alex.forencich: Please keep [Hanlon's razor](https://en.wikipedia.org/wiki/Hanlon%27s_razor) in mind. Even if something has very negative consequences, that doesn't necessarily mean it's very malicious in intent. – ruakh May 06 '18 at 06:26
25

MITM is **always malicious**. – R.. GitHub STOP HELPING ICE May 06 '18 at 13:24
4

@R.. That is arguably not true, what about corporate firewalls that do MITM to filter malware and phishing and also prevent data theft? It would be hard to argue these are malicious... – Peter Harmann May 06 '18 at 13:30
3

@PeterHarmann: They are malicious unless employees are explicitly forbidden from doing anything personal from work machines (e.g. logging into personal email), and unless such a rule is actively enforced, since employees generally don't and can't be expected to understand the threats MITM entails to their privacy and safety. – R.. GitHub STOP HELPING ICE May 06 '18 at 13:34
2

@R.. Unless they distrust their employer, it is usually not that much of a problem. These solutions are usually automated, so humans don't really see the data. And I am pretty sure in most countries, these must be disclosed to the employees. – Peter Harmann May 06 '18 at 13:37
3

Disclosure != understanding of scope of consequences. Further, even if employees did genuinely consent to having their access MITM'd, the sites they're accessing did not, and almost all have ToS that forbids disclosing your credentials to a third party. – R.. GitHub STOP HELPING ICE May 06 '18 at 13:38
2

@R.. But that is then on the users to not break the ToS. The employer needs these precautions and IMO it is nice from them to allow personal access with the understanding it is monitored and let the employees decide, whether they trust the employer and with what kinds of data. – Peter Harmann May 06 '18 at 13:43
3

@BradleyUffner: For the purpose of not being overly verbose when discussing ethics/malice in this area, I define MITM in terms of actual parties involved; in this sense it's not MITM if the interceptor and user whose connection is intercepted are the same person. Of course that's different from a technical definition because you need different concepts for social/ethical/legal issues than for technical issues. – R.. GitHub STOP HELPING ICE May 07 '18 at 15:00
@R.. That was an issue at my previous (DoD contractor) employer. When the contracting office for one of the companies major programs discovered that *.gov and *.mil were being MITMed (banking and healthcare were on a non MITM whitelist) they flipped out and threatened an immediate stop work or similar if the configuration wasn't changed immediately. Very shortly thereafter, the internal whitelist had 3 categories not being snooped (nominally for data ex-filtration). – Dan Is Fiddling By Firelight May 08 '18 at 15:15
If there's one thing the last few years have taught the world, it's that Hanlon's false dichotomy is severely wanting. – Jon Hanna May 09 '18 at 15:59

score 28 · Answer 3 · edited Jun 16 '20 at 09:49

Is this certificate valid

No, it is generated on the fly by DNSFilter or an attacker pretending to be DNSFilter performing an MITM attack.

Why is this certificate being presented

DNSFilter allows monitoring network usage, and blocking sites, but when it blocks a site it wants to show an error message, so if the traffic is encrypted it needs to be able to decrypt it, which it can only do by either:

Having the original certificate
Making a new certificate

Why is there a warning

As the new certificate is not trusted by your machine you get a warning. This is true in both cases, an attacker CA would be untrusted, but so would the DNSFilter CA.

Why is the certificate only valid for a day

There are many reasons this could be, but a major one is trying to reduce the risk each individual certificate poses if it is leaked. The idea is that as long as the root cert is kept safe, then even if a site cert leaks, it is only trusted by devices that trust the CA.

As the certificates are generated on the fly there is no issue with the regular re-issuance that this requires.

Is SSL interception a good idea?

SSL interception is generally a very bad idea, for many reasons:

Sensitive data may be logged by the intercepting device
The keys may the same for all devices, so anyone can intercept with a copy of the master key
The key may be gained from the device, leading to anyone being able to intercept
EV certificates are downgraded to standard certificates
Applications using pinning will not work with the changed certificate

There are some cases where it is acceptable, when absolutely necessary, but these do not apply for public WiFi, where you do not really trust the hotspot operator.

Going by the DNSFilter website, it is possible that they do not normally proxy HTTPS connections but that the coffee shop has configured it to block imgur and tries to show an error page. — Carsten S, May 06 '18 at 17:28
@CarstenS Yeah, that's most likely, since OP said that he didn't have this issue with other websites. — FINDarkside, May 07 '18 at 11:52
You cannot assert that "it is generated on the fly by DNSFilter" from the information provided. It might as well be an actual MITM attacking the users of that cafe. — jjmontes, May 07 '18 at 15:34
Also ammended, it seems they use the VIP way of enforcing safe search — jrtapsell, May 07 '18 at 16:22