Tell HN: Apple Store wifi attempts https MITM
I was at an Apple Store today, where I browsed an https-only website in Chrome, with which I've been interacting in recent weeks from various access points. No issues in Chrome with the cert up until today. Doing so at the Apple Store today, however, invoked a red 'cert invalid'.
I've just checked the site again in Chrome just now, after leaving the Apple Store, and https is back to green.
Based on the facts, it seems that the Apple Store was trying to MITM the connection which Chrome blocked. Does anyone have any info about this?
If someone at Apple can confirm they do not do this, perhaps someone is running a pineapple-type device at that location, or some Apple Store technician has gone off the reservation, or something else?
5 comments
[ 5.2 ms ] story [ 22.2 ms ] thread"Thanks for reporting. However, without details of the certificate or why it was "invalid", it will be difficult to investigate this issue further. Could you return to the Apple Store and get a copy of the invalid certificate and any other details you can gather?"
Otherwise, you come across as abrasive, at a minimum.
It's because I'm used to receiving reports of issues with no (or very little) information that is helpful in actually determining what the real problem is: "The network is slow", "so-and-so can't send e-mail", "Extremely high packet loss" from people who don't understand traceroute, and so on. When I get these nowadays I simply close them out unless the reporter can provide any useful details (which usually has to be pried out of them) so I guess it has just become natural for me to respond that way.
It would be like walking up to an auto mechanic and saying "My car won't start. What's wrong with it?". There are 1,000 reasons why and without some more information it's going to be impossible what the actual cause is.
Someone would have to go to the store in question to investigate further, in any case. Whether I offered the cert here publicly or not won't change that. I've given enough indication of a serious security problem that it merits investigation. Someone is trying to insert their own cert on a particular URL I was visiting when using the Apple Store Kahala Mall wifi.
Whoever performs the investigation can easily look into the specifics of the cert itself. Your response was detrimental to the process in addition to coming across as abrasive, and your follow-up simile related to the mechanic is further insulting. I recognize you are an expert in your field but it's not a way to work with colleagues. I offer this criticism with only the best of intentions, as someone who can well-relate to your line of thinking on such matters.