New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Network may be monitored" notification due to user certificate #334

Closed
BooBerry opened this Issue Feb 27, 2016 · 28 comments

Comments

Projects
None yet
9 participants
@BooBerry

BooBerry commented Feb 27, 2016

I get the notification on every boot warning me about the network may be monitored by a third party after enabling HTTPS filtering in the Adguard 3.5 alpha.

However, I was able to fix this myself using the Move Cert! app from here (requires root): https://f-droid.org/repository/browse/?fdid=com.nutomic.zertman

The source code is available here: https://github.com/Nutomic/movecerts

It moves the certificate from user to system, but like I said it requires root. Perhaps for rooted users the certificate can automatically be installed into system instead of user? The source code for Move Cert! should help here. :)

@BooBerry BooBerry changed the title from "Network may be monitored" notification due to user certificate to [HTTPS filtering] "Network may be monitored" notification due to user certificate Feb 27, 2016

@ameshkov ameshkov added the SSL label Feb 28, 2016

@ameshkov ameshkov added this to the 2.5 milestone Feb 28, 2016

@ameshkov

This comment has been minimized.

Member

ameshkov commented Feb 28, 2016

Great, thank you!

I am not yet sure what should we do: add this information to FAQ or implement this feature in the app. Even if we implement it, installing to system storage should be optional.

You see, moving the certificate is only the first part of the problem. The second part is removing it (which I don't see in that app).

If certificate is the system storage, you can't remove it from Android settings, only disable it.

@BooBerry

This comment has been minimized.

BooBerry commented Feb 29, 2016

I am not yet sure what should we do: add this information to FAQ or implement this feature in the app. Even if we implement it, installing to system storage should be optional.

Agreed. But it should be limited to only rooted devices, no?

You see, moving the certificate is only the first part of the problem. The second part is removing it (which I don't see in that app).

Move Certs! also removed the certificate for me. Worst case, just send a command to delete the certificate from the /system/etc/security/cacerts/ folder.

If certificate is the system storage, you can't remove it from Android settings, only disable it.

Like I said, Move Certs! deleted the certificate for me too, so it's possible.

@BooBerry

This comment has been minimized.

BooBerry commented Feb 29, 2016

Also to take into consideration is the locations of the user folder...

For Android 4.x and below: /data/misc/keychain/cacerts-added/

For Android 5.x and above: /data/misc/user/0/cacerts-added/

@ameshkov

This comment has been minimized.

Member

ameshkov commented Mar 1, 2016

Move Certs! also removed the certificate for me. Worst case, just send a command to delete the certificate from the /system/etc/security/cacerts/ folder.

Ah, ok then, I just missed that part in their code.

@ameshkov

This comment has been minimized.

Member

ameshkov commented Mar 1, 2016

Agreed. But it should be limited to only rooted devices, no?

Yep, it is.

Let's summarize.

For rooted devices we should add two more buttons:
Move certificate to the System certificates storage -- moves our cert from user to system storage
Remove certificate -- removes our certificate from the system storage

I'll plan it on v2.6

@ameshkov ameshkov modified the milestones: 2.6, 2.5 Mar 1, 2016

@Alex-302

This comment has been minimized.

Member

Alex-302 commented Mar 1, 2016

I've installed movecerts and moved Adguard certificate. Notification and lockscreen are disabled now, but I have the problem with Chrome and Opera now - "certificate is too long"(more than 3 years):

![screenshot_2016-03-01-22-41-05](https://cloud.githubusercontent.com/assets/8361299/13439986/07362dcc-e001-11e5-8034-129aab0acb03.png)
![screenshot_2016-03-01-22-41-14](https://cloud.githubusercontent.com/assets/8361299/13440005/1682b2be-e001-11e5-809a-ee3ecadc791b.png)
@TPS

This comment has been minimized.

Contributor

TPS commented Mar 2, 2016

The full discussion @ https://bugs.chromium.org/p/chromium/issues/detail?id=431573 seems to be fully relevant here.

@ameshkov

This comment has been minimized.

Member

ameshkov commented Mar 2, 2016

@Alex-302 thank you! Moved to a new issue: #345

@ameshkov

This comment has been minimized.

Member

ameshkov commented Mar 18, 2016

There're lots of requests for such feature from alpha testers. We may reassign it to v2.5

@ameshkov

This comment has been minimized.

Member

ameshkov commented Mar 23, 2016

Known issues:

  1. Adguard's certificate will be removed on system update.
  2. On some devices reboot is required if you want to reinstall AG certificate. Steps to reproduce: install certificate, move it to system certs, clear AG app data, try to generate & install AG certificate again - it won't work until reboot.
@ameshkov

This comment has been minimized.

Member

ameshkov commented Apr 14, 2016

One more major issue:
Browser starts to check domain certificates against "Public-Key-Pins" header values. This header is ignored in case of the user certificate.

@ameshkov ameshkov modified the milestones: 3.0, 2.6 May 20, 2016

@ameshkov

This comment has been minimized.

Member

ameshkov commented May 27, 2016

One more known issue (maybe it is also caused by Public-Key-Pins): instagram app does not work when certificate is moved to system certs.

@vozersky

This comment has been minimized.

Member

vozersky commented Jul 11, 2016

Guide on moving cert from Josh Lawton:

Enable HTTPS Filtering on Android Nougat.pdf

@uBlock-user

This comment has been minimized.

uBlock-user commented Jan 23, 2017

I'm having the same issue on my Android device and it's NOT rooted. Is there any fix for this ?

@BooBerry

This comment has been minimized.

BooBerry commented Jan 23, 2017

You can swipe away the notification, that's what I do.

@uBlock-user

This comment has been minimized.

uBlock-user commented Jan 24, 2017

You can swipe away the notification

I do not want to do that on every reboot and that's not a solution either. That's why I'm asking to make it not appear permanently.

@BooBerry

This comment has been minimized.

BooBerry commented Jan 24, 2017

That's the only solution, except rooting the device and moving the certificate to the system store. The only other solution is to disable HTTPS filtering and remove the certificate.

Other than those, it can't be avoided. Personally, I just live with it and swipe it away on reboot.

@war59312

This comment has been minimized.

war59312 commented Jan 24, 2017

Would not be much of a security boundary...

If an app could just hide it.. Would what stop a bad actor (hacker) from doing the same..

@ameshkov

This comment has been minimized.

Member

ameshkov commented Jan 26, 2017

If an app could just hide it.. Would what stop a bad actor (hacker) from doing the same..

First of all, a bad actor cannot install security certificate without user consent.:)

@war59312

This comment has been minimized.

war59312 commented Jan 27, 2017

Security in depth approach. ;)

Assume it's been compromised and warn anyways. :p

People are phished all the time. Good to assume user may have accidently installed the cert. haha

Users are idiots after all. ;)

@ameshkov ameshkov changed the title from [HTTPS filtering] "Network may be monitored" notification due to user certificate to "Network may be monitored" notification due to user certificate Dec 4, 2017

@yochananmarqos

This comment has been minimized.

yochananmarqos commented Mar 14, 2018

I created a Magisk module to move the certificate from the user store to the system store for anyone interested. It will remove the Network may be monitored notification for proxy mode, but you'll sill get a notification that you're connected to the AdGuard VPN in VPN mode.

I attached it in the AdGuard XDA thread for now, but I might create a thread for it if I have time.

EDIT: It's now in the Magisk Module Repo, you can download it via Magisk Manager.

@ameshkov

This comment has been minimized.

Member

ameshkov commented Mar 20, 2018

Awesome!

@ameshkov

This comment has been minimized.

Member

ameshkov commented Nov 8, 2018

I guess we don't need to keep this open as AG allows moving cert to system store since 2.12

@ameshkov ameshkov closed this Nov 8, 2018

@ameshkov ameshkov removed this from the 3.0 milestone Nov 8, 2018

@uBlock-user

This comment has been minimized.

uBlock-user commented Nov 8, 2018

I guess we don't need to keep this open as AG allows moving cert to system store since 2.12

Without root ? How ?

@ameshkov

This comment has been minimized.

Member

ameshkov commented Nov 8, 2018

Without root ? How ?

That feature requires root, unfortunately. There's no solution for unrooted users:(

@uBlock-user

This comment has been minimized.

uBlock-user commented Nov 8, 2018

just for a second, my hope went so high, only to come crashing down and be destroyed again...thanks anyways.

@yochananmarqos

This comment has been minimized.

yochananmarqos commented Nov 14, 2018

@ameshkov It still can't install the system certificate with Magisk. I'm not the only one, see the XDA thread.

Without AdGuard installing it's own Magisk Module, I don't see how you expect it to write to /system. My Move Certificates Magisk Module does the trick.

@zzebrum

This comment has been minimized.

zzebrum commented Nov 14, 2018

@yochananmarqos it should be working with latest nightly 3.0.66

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment