
Tell HN: Apple Store wifi attempts https MITM - gtcode
I was at an Apple Store today, where I browsed an https-only website in Chrome, with which I&#x27;ve been interacting in recent weeks from various access points.  No issues in Chrome with the cert up until today.  Doing so at the Apple Store today, however, invoked a red &#x27;cert invalid&#x27;.<p>I&#x27;ve just checked the site again in Chrome just now, after leaving the Apple Store, and https is back to green.<p>Based on the facts, it seems that the Apple Store was trying to MITM the connection which Chrome blocked.  Does anyone have any info about this?<p>If someone at Apple can confirm they do <i>not</i> do this, perhaps someone is running a pineapple-type device at that location, or some Apple Store technician has gone off the reservation, or something else?
======
jlgaddis
Without details of the certificate or why it was "invalid" your report is
pretty much useless.

~~~
gtcode
Might I suggest another approach, friend?

"Thanks for reporting. However, without details of the certificate or why it
was "invalid", it will be difficult to investigate this issue further. Could
you return to the Apple Store and get a copy of the invalid certificate and
any other details you can gather?"

Otherwise, you come across as abrasive, at a minimum.

~~~
jlgaddis
Yeah, it probably does come across that way.

It's because I'm used to receiving reports of issues with no (or very little)
information that is helpful in actually determining what the real problem is:
"The network is slow", "so-and-so can't send e-mail", "Extremely high packet
loss" from people who don't understand traceroute, and so on. When I get these
nowadays I simply close them out unless the reporter can provide any useful
details (which usually has to be pried out of them) so I guess it has just
become natural for me to respond that way.

It would be like walking up to an auto mechanic and saying "My car won't
start. What's wrong with it?". There are 1,000 reasons why and without some
more information it's going to be impossible what the actual cause is.

~~~
gtcode
Based on your description, it seems your approach has a number of flaws, which
would lead to "closing out" the report of a security hole, which is a
catastrophic failure in your approach.

Someone would have to go to the store in question to investigate further, in
any case. Whether I offered the cert here publicly or not won't change that.
I've given enough indication of a serious security problem that it merits
investigation. Someone is trying to insert their own cert on a particular URL
I was visiting when using the Apple Store Kahala Mall wifi.

Whoever performs the investigation can easily look into the specifics of the
cert itself. Your response was detrimental to the process in addition to
coming across as abrasive, and your follow-up simile related to the mechanic
is further insulting. I recognize you are an expert in your field but it's not
a way to work with colleagues. I offer this criticism with only the best of
intentions, as someone who can well-relate to your line of thinking on such
matters.

