HTTPS question from someone stupid

[Anonymous User]

When you have a local root certificate installed, it shows up under Developer Tools > Security as being the certificate used to encrypt communications with the site. When this is the case, is the original certificate (what would show up under Developer Tools > Security if there were no local root certificate) even relevant at all anymore?

[Daniel Veditz]

You have a local root certificate installed, AND software or a network device intercepting and modifying the communication. You are not using the certificate you see to communicate "with the site", you are communicating to that software or device, and in turn it is forwarding the communication back and forth with the site after doing whatever job it was set up to do. The site's real certificate is relevant to the communication between the site and the interception software. Hopefully that software is as rigorous about checking the validity of certificates as your browser would be, but sometimes they do a poor job. In the past some have been found that do no checking at all!

You can try some of the tests at https://badssl.com/ to check this out. If you have a decent MITM it won't let you connect with the ones that are in red.

-Dan Veditz

[93m4q...@gmail.com]

Thanks for your response. That pretty much clarifies everything I was wondering (whether the site's original certificate is relevant).

Perhaps Chrome could do some background tests (like to various badssl subdomains) when it detects that MITM software is present, and then alert the user if the MITM software fails to block the connections? The problem with that is that it could generate noise in the form of notifications from MITM software that is working correctly.