MITM on HTTPS Traffic
I use Vivaldi browser in my office laptop (running windows 10). Recently I noticed for some websites the certificate is issued by the company I work (signed by company certificate)
Example: for https://duckduckgo.com
issued to: duckduckgo.com
issued by: *.XXXX.corp.XXX.XX
MITM does not happen for all websites. Only for certain websites.
Bank and Finance related websites are excluded. And for some tech news or blog sites MITM does not happen as well (not sure why)
For examples MITM does not happen for https://www.techspot.com/
I noticed the certificate is issued by "Lets Encrypt authority" and not the company certificate
I also noticed the company certificates are added to "Trusted Root Certification Authorities"
I cannot delete them since I do not have the permission and I might violate some company policies
Currently I use Firefox browser and MITM does not happen for 99% of websites. It happens only for very few sites
Is it because Firefox comes with it own trusted certificates and does not rely on certificates installed in Windows 10 ?
Also Vivaldi browser does not provide any security Warning when MITM is happening.
But Firefox browser displays a warning every time MITM occurs "Did Not Connect: Potential Security Issue"
Using VPN solution and Proxy sites are ruled out, since company blocks then via. web filtering
There are many restrictions in my laptop (like no local Admin rights for my account) and many security / monitoring solutions are constantly running in the background
I have to use the company corporate network for internet. Now I try not to visit certain sites that deals with my data
Are there any workaround or options within Vivaldi browser, I can use to bypass this MITM issue ?
Your company filters some traffic by security appliance or installed software on your laptop.
If the company's signed certificates are in Windows Trusted Root Certificates Vivaldi warn/detect any MITM, because your companies certs are trusted.
As Vivaldi does not use a extra certificate store you can not do anything.
FF has 2 advantages with certificates.
One is as you say it uses its own cert store, and second it will be trying to check for the revocation status and hard-failing if it cannot.
You can enable this in IE and Chromium browsers but it needs to be done in the registry or via group policies.
No browsers have the ability to detect MITM interference, because browser vendors won't add DANE validation, because site owners don't use or configure DNSSEC properly, because no browsers support DANE, because....
...as you see it is a cyclic argument.
It also relies on clients also using a DNSSEC resolver.
Perhaps you could use a search engine they have not added to their list such as searx.me or one of its mirrors. It has a proxy option like startpage, but you shouldn't use it for logging into anything.
@Dr-Flay If it is a Firefox Enterprise the MITM certs will be added in Firefox's cert store from Windows cert store and you will not get any warnings.
Thanks for all replies. I noticed all search engines are MITM by the company.
Firefox were able to warm me of MITM when it happens. But I'm glad MITM does not happen for most of the sites I visit.
I checked and the company certificate is not added to the Firefox certificate store. I hope it stays like that.
Does Vivaldi have any future plans to have its own certificate store ?
I will make a feature request as well