top | item 5510675

(no title)

enginous | 13 years ago

Nope, you're right. The ISP would have to install the CA certificate on every device on the network, which is a nontrivial task.

Furthermore, if the ISP has done that, they don't need you to go through a proxy. Your connection is already going directly through them.

Edit: However (as you can see by some of the responses in this thread), there's certainly the possibility that your ISP itself is an actual certificate authority recognized by browsers. That scenario is indeed quite worrying.

discuss

bonaldi|13 years ago

It's also a pretty trivial task if you control the user's routers and can give them installation disks to make "the internet work". As corporate and university wifi shows, people will willingly accept new certificates required to join hotspots; they'll also do it on their desktops without blinking.

enginous|13 years ago

Indeed, although I don't agree "internet-enabling software" is trivial in terms of engineering and support costs, considering the range of devices today. But mostly I just wanted to clarify on the point that interception is not fully transparent: that the ISP does need to compromise every device that connects to the network.

But I do agree with your original point that to the extent possible, there should be legislation (if there isn't already) against intercepting TLS-encrypted connections of ISP customers, in cases where the ISP is also a browser-approved CA or is actually willing to distribute its own CA cert.