On an Edinburgh Bus: A root certificate, a weak key, and SHA-1!

I love my trip on the bus into work in the morning, and Lothian Busses provide such as great service. I have always loved traveling on busses in Edinburgh.

And so my laptop typically tries to connect to the bus wifi. But, basically, it is setup to intercept HTTP traffic and then feed adverts to me. HTTP injection exposes users to many risks, especially against their privacy. Also, it tries to intercept HTTPs by providing me with a root certificate, and them tries to break the tunnel. Why do we allow this? Surely users are being tricked, and that whoever connects to the network could spy on people using the wifi. Do not — ever — install a root certificate, unless your really trust it!

So, the first problem is that the wifi connection tries to install a root certificate on my computer (quite shocking actually!), and one which will be trusted until the year of 2034 (yes, that is 15 years away, so it might stick around for a while). This means that if anyone hacks this certificate (and , as we will see, it might not be too difficult) — and finds the associated private key — then they could create hacked applications which are properly signed: