I recently installed a new BT HomeHub6 router for my household internet connection. It's been less than 24 hours, and I'm seeing a warning pop up on my desktop computer occasionally regarding Outlooks' connection to my exchange service, hosted at office365.
The error indicates that the certificate presented by the server (outlook.office365.com) is:
- Self-signed
- Does not have a subject that matches outlook.office365.com
- Is valid in terms of it's date
Diving deeper into the certificate, I can see that the self-signed certificate has the subject "CN=self-signedKey,O=Sagemcom Ca,C=FR". This is too much of a coincidence that I've just changed my router, and a router manufacturer is labeled in a certificate that's on an https session, in an attempt to MITM. Now this could be a MITM attack on a jump after my router (I don't think I have any way to investigate that), but browsing to the FQDN as a URL via my browser just redirects to the OWA login page, with no certificate warning.
It just seems scary to me that my router would even attempt to do a MITM or any sort of packet inspection with out my say-so. Or am I deeply naive?! Is this normal? Or am I alone?
Self-signed key error message.
Showing the Subject for the nasty certificate.
It also occurs to me that my https session with outlook.office356.com is using a public key far larger in size than the crumby 1024bit one being presented, so infact it's degrading the security of the tunnel.
Other than clicking on "No", is there any way for me to categorically distrust this certificate so that the warning never appears again?
