Letsencrypt is issued by Bitdefender Personal CA instead of DST Root CA


#1

I renewed my letsencrypt cert today. But I found the cert is issued by Bitdefender Personal CA.Net-Defender. I remember it should be issued by DST Root CA. And the valid time is one year instead of 90 days. However when I check my website on my Android phone. The cert is issued by DST Root CA X3. I used certbot client. So is it normal for me? My site is https://plumwine.me. Please see the following screenshot.


#2

The missing mobile phone screenshot.


#3

You are likely seeing BitDefender because you have it installed and its “SSL scan” option is turned on.


#4

Your antivirus MITMs your connections. I personally would not prefer that…


#5

You are right. Seems the root certs of all the websites are replaced by Bitdefender when SSL Scan is turned on.


#6

Bitdefender is operating as a “MITM proxy”.

Hopefully you (or someone who owns this PC where you checked) have installed Bitdefender and intentionally set it to intercept all HTTPS connections. If so, everything is fine, but this certificate is not the “real” certificate issued by Let’s Encrypt, it was issued by your Bitdefender. If you did NOT install this software, you should investigate who did and either assure yourself that all is well, or use a different (clean) computer for anything important.

Explanatory notes - you don’t need to read these unless interested

A Man In The Middle (MITM) is when Alice thinks she’s talking to Bob, and perhaps Bob thinks he’s talking to Alice, but instead Mallory is between them, impersonating each to the other.

If Alice and Bob know each other, they can use the Socialist Millionaire Protocol, which uses clever mathematics to allow two humans to effectively answer a question and check they both gave the same answer, without either learning what the other one picked if they’re different. This is how Off The Record Messenger is able to securely send messages to your friends rather than spooks pretending to be your friends.

Obviously most web sites don’t know you, and you don’t know them. So instead a Trusted Third Party is used, the DST Root CA is a trusted third party for most systems. The Trusted Third Party promises to tell you who owns a Public Key, and so it will tell you that Alice is Alice, Bob is Bob and Mallory is Mallory. Mallory’s plan is foiled. But, if Mallory can persuade you to trust her own CA instead, she can do whatever she pleases.

Bitdefender plays the role of Mallory. It wants to decrypt all messages between you and any web site, to inspect them (presumably and thereby “defend” you in some way) but it can’t convince you that it is plumwine.me or DST Root CA on its own. However what it does instead is add a trusted third party, “Bitdefender Personal CA.Net-Defender” and then when you visit a site like plumwine.me this third party (which is actually part of the Bitdefender software) produces a new certificate saying Bitdefender is plumwine.me, and it’s OK.

Large corporations also do this to their employees, they administrate the PC so they can add any trusted third party of their own choice. You should ask an employer if you suspect they use a MITM proxy, and consider (even if work policies allow it) never using work computers for private personal matters, banking or other important stuff.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.