Safari Certificate Acceptance/Rejection depending on Wifi or 3G

[Lost In Cyberia]

Hey everyone. I was at my local star bucks, which has open free wifi. And I (against my better judgement) deceided to check my school email. I was using their wifi network. when I went to go login, I was presented with the safari prompt "Can not Verify Server identity". I clicked 'details' and apparently safari does not trust the *.njit.edu certificate. The signing authority is digicert.

Now what's odd is that if I switch to 3G. Using the 3G network, safari has absolutely no problem accepting it, and doesn't prompt me or anything. So what's the deal? I've done this multiple times, in multiple locations. Any idea's?

[cooper]

Could it be that you were asking for an https site and the AP did an MITM where it has legit traffic with the site via the official cert and you have traffic with the access point that uses its own private cert as CA cert for that domain?

You often see this in large corporations and trust institutions (banks, government, ...) where this MITM approach allows the proxy server to see all the traffic in plain text, allowing it to get logged (CYA / network auditing policy) and allowing the proxy to cache the response allowing better performance.

[Lost In Cyberia]

Thanks for the reply! This is a possibility. So let me see if I got this right. The AP forwards the request to my school to it's outward facing router. The router gets the real certificate and hands it off to the AP to give to me. The AP though then presents me with a 'middle' certificate, possibly signed by itself? Does this in effect side step SSL? Because I'd be presented with a cert NOT from my school, but from the AP?

Wouldn't this mean though that this would invadlidate ANY SSL cert? I have to go back there to test and to take a screenshot of the image. This seems to only happen at that starbucks.

[cooper]

It's as clean an MITM as you can get, but the client (i.e. your phone) knows the difference because the cert, while valid, isn't one you've chosen to trust on your phone (yet) which is why you get the prompt.

You could easily test this by testing with other sites. The cert that is presented to you for each site will likely have the same CA certificate path (at least a fair chunk identical) as all the other secure locations you try to access.

[Lost In Cyberia]

I actually got to the bottom of this. Very anti-climatic though. So as it turns out my initial description was wrong. Even on 3G data I'd still get a certificate not valid. So I'm assuming that the Apple certificate store's list of trusted CA's doesn't include the one who signed my school's cert. (Digicert). I don't know why they wouldn't trust digicert, they seem like a pretty popular and reputable CA to me...Cooper if you're still with me, is there any way to test other digicert signed certs on my phone? Without randomly picking ssl sites and hoping that one is signed by digicert?

[cooper]

Gah. I'd have to look into that. Not sure if you can walk up to a CA and ask who they sign for...

Edit: Couldn't find such a thing, but I did find this:

http://www.sslshopper.com/digicert-certificate-authority-reviews.html

Note that a number of the reviews include URLs which, when accessed using https, will more often than not provide a DigiCert signed certificate.

Edited July 17, 2014 by Cooper