Invalid certificate errors

[envo]

sup guys; so recently we've had idiots who uses LTE routers lose internet connection, then try to browse our website and complain about invalid certificate errors on our facebook page.

these LTE routers lose connectivity, but instead of ending the connection, it proxies the request to it's internal http server to show the signal strength.... and that is what is causing the certificate error, because instead of redirecting, they proxy the request and still show our domain name.

Is there an effective way to somehow stop that from happening so I can stop wasting my ****ing time with end-user problems with internet connectivity?

 

[LCBXX]

It sounds like there is SSL inspection happening, or a MTM attack, and the device doing the inspection is not trusted by the computers. Can you screenshot the error? On Chrome, also press F12, click on the security tab and screenshot the certificate details after clicking the "view certificate" button.

 

[envo]

Yep, as explained. The LTE router takes over any request to any website when it is offline, it then appears to proxy the request through it's own internal web server to show the "You are not connected, here is your signal strength" (see image below).

By doing that, instead of redirecting to an internal page immediately, the SSL certificate error happens (please see 2nd image below)




Above shows what you're supposed to see when you're offline. However, the browser will show this, because the certificate it knows about doesn't match the destination:



So a user with an LTE modem (very popular at the moment if you keep abreast of the news), when they lose connection, but their devices (phone, laptop, desktop, tv, radio whatever) are still connected to the wifi, the router intercepts any request to a website and tries to show the offline page (pictured above). Technically all the devices are still connected to the wifi, but then the user sees the 2nd image/warning, and thinks it's our website.

Understand the issue better? Cool. Anything I can do to somehow to stop this from happening?

 

[Tomtomtom]

Is there an effective way to somehow stop that from happening so I can stop wasting my ****ing time with end-user problems with internet connectivity?

Only workaround you have available from the site perspective is to disable SSL/TLS so the redirect can happen. May be tricky if you have HSTS or HPKP in force though. Or if it's not your domain.

The router doesn't have an opportunity to redirect because that's an HTTP response that can't be delivered until the TLS connection is established, for any URL starting https. And it's clearly failing any captive portal heuristics that could work around this in the browser.

Depending on the situation maybe you want to warn customers in advance. Or deal with them faster by sending them to neverssl.com (which can be redirected).

Btw is that a top-level wildcard in that cert? Dodgy.

 

[envo]

Only workaround you have available from the site perspective is to disable SSL/TLS so the redirect can happen. May be tricky if you have HSTS or HPKP in force though. Or if it's not your domain.

The router doesn't have an opportunity to redirect because that's an HTTP response that can't be delivered until the TLS connection is established, for any URL starting https. And it's clearly failing any captive portal heuristics that could work around this in the browser.

Depending on the situation maybe you want to warn customers in advance. Or deal with them faster by sending them to neverssl.com (which can be redirected).

Thanks, we have HSTS in place and only work on SSL since we are using Google AMP. I guess we would just have to deal with these user queries

Btw is that a top-level wildcard in that cert? Dodgy.

I grabbed the image off of Google Images instead of trying to simulate the issue by downing the internet at work