{"id":107548,"date":"2022-12-06T07:00:00","date_gmt":"2022-12-06T15:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=107548"},"modified":"2022-12-06T06:54:57","modified_gmt":"2022-12-06T14:54:57","slug":"20221206-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20221206-00\/?p=107548","title":{"rendered":"Trouble connecting to Web sites and services because of certificate errors? Check if you’re being held captive"},"content":{"rendered":"

So you’re minding your own business, and you find that Web sites and services are all failing due to certificate errors:<\/p>\n

\n

outlook.office365.com<\/p>\n

Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site’s security certificate.<\/p>\n\n\n\n\n\n
\u274c\ufe0e<\/td>\nThe security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.<\/td>\n<\/tr>\n
\u2714\ufe0e<\/td>\nThe security certificate date is valid.<\/td>\n<\/tr>\n
\u274c\ufe0e<\/td>\nThe name on the security certificate is invalid or does not match the name of the site.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Do you want to proceed?<\/p>\n<\/div>\n

And then if you’re the sort of nerd who actually looks at the certificate, you get something like this:<\/p>\n

\n

This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store. <\/b><\/p>\n\n\n\n\n\n
Issued to:<\/b><\/td>\nUS<\/td>\n<\/tr>\n
Issued by:<\/b><\/td>\nUS<\/td>\n<\/tr>\n
Valid from<\/b><\/td>\n1\/13\/2011 to<\/b> 1\/8\/2031<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Who is “US”? Is the United States government trying to hack my connection? (And if so, why would they admit to it right in their certificate identification?)\u00b9<\/p>\n

Or is “US” the guy to whom all my base are belong<\/a>?\u00b2<\/p>\n

While it’s true that you are undergoing a man-in-the-middle attack, there’s a good chance that this attack is not malicious. If you are using a public WiFi connection, say in a coffee shop or hotel, then check whether you are trapped in the captive portal.<\/p>\n

Open a Web browser and go to a plain http<\/code> Web site (not https<\/code>). You’ll probably see a message from the provider of the public WiFi connection asking you to agree to the terms of service or enter subscriber information.<\/p>\n

Once you get past that, go back to the Web site or service you were originally interested in, and it should work better now.<\/p>\n

Bonus chatter<\/b>: So what’s up with the “US”?<\/p>\n

My guess is that whoever generated the certificate for the captive portal went through some “Make me a certificate” wizard and left all the fields blank. The wizard defaulted to “Country = US”, and since that’s the only thing that was filled in, that’s the only information in the certificate.<\/p>\n

Related reading<\/b>: How does Windows decide whether your computer has limited or full Internet access<\/a>?<\/p>\n

Some follow-up notes on how Windows decides whether your computer has Internet access.<\/p>\n

The idea behind probing the Network Connectivity Status Indicator (NCSI) endpoint is that the system wants to know whether access to “random” Web sites will succeed, and it checks this by accessing the NCSI endpoint, which is a “random” Web site. If the access to the NCSI endpoint fails, then access to other “random” Web sites will probably also fail.\u00b3<\/p>\n

Yes, this can be hacked by setting up a weird WiFi network. But who cares? All that’ll happen is that the user on your network gets the wrong connectivity icon (either being told that they have full connectivity when they don’t, or vice versa), and they’ll try to connect to some Web site, and they’ll get an error, and now you have a support problem when they complain that your WiFi is broken.<\/p>\n

Yes, this can be fooled by uncommon network configurations. But that means that connections to random Web sites are probably also going to fail, seeing as there’s nothing particularly special about the NCSI endpoint. A user who opens a Web browser is probably not going to be able to browse the Internet.<\/p>\n

An important detail is that the NCSI endpoint uses http<\/code>, not https<\/code>. If the endpoint had been https<\/code>, then the captive portal’s interruption would break the secure connection (which is what we experienced above), whereas on http<\/code>, the captive portal can inject a redirect to their sign-in page.<\/p>\n

You can configure the NCSI probes via Group Policy. You can read more on the page I linked to in the original post<\/a>.<\/p>\n

This technique for detecting basic Internet access is common across all major operating systems. Windows isn’t doing anything particular sneaky here.<\/p>\n

\u00b9 That’s one of the things I don’t get about the conspiracy theorists who look for clues like this. If you assume that there’s some deep, highly-organized, hyper-competent conspiracy afoot, why also assume that this highly-organized conspiracy is not just inept at keeping secrets, but is openly bragging out in public? The first rule of Fight Club<\/a> is “you do not talk about Fight Club.” The second rule of Fight Club is “YOU DO NOT TALK ABOUT FIGHT CLUB.”<\/p>\n

\u00b2 Yes, I use ridiculously old memes. I’m slow to pick up on these things.<\/p>\n

\u00b3 In Windows 10, the name of the endpoint changed from msftncsi<\/code> to msftconnecttest<\/code>, presumably to make the purpose of the access more obvious in security and audit logs. Nobody will understand that NCSI stands for Network Connectivity Status Indicator. (They’ll probably confuse it with the Naval Crime Investigative Service<\/a>.)<\/p>\n","protected":false},"excerpt":{"rendered":"

There’s a man in the middle.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-107548","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"

There’s a man in the middle.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=107548"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/107548\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=107548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=107548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=107548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}