Do I have a current MITM?
Your browser rejected a certificate, but this doesn't have to be caused by an attack.
Google.co.uk is failing its HSTS on my browsers.
The warning you see doesn't indicate a problem with HSTS in particular. It's just Firefox saying: "The certificate appears invalid. And by the way, we won't let you add a manual exception because the site uses HSTS." 1
There are many plausible reasons why you got served an invalid certificate for a short amount of time. It could be a hickup at your ISP, a problem with your router, SSL interception by a captive portal (as mentioned by @FedericoPoloni) or, theoretically, a poor attempt at an MITM attack. The first step of investigation would be to check which certificate you were actually served.
Afterwards, you didn't correctly compare the certificates: You connected to www.google.co.uk
but ran the third-party test against google.co.uk
. These are technically different domains that serve different certificates depending on the indicated server name.
Here I'm testing each -servername
with openssl
and you should recognize both fingerprints:
$ openssl s_client -servername www.google.co.uk -connect www.google.co.uk:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=D1:8F:DE:83:4A:68:88:32:DD:CF:C8:6B:0C:74:94:33:02:75:BC:43
$ openssl s_client -servername google.co.uk -connect www.google.co.uk:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
SHA1 Fingerprint=42:38:CE:6C:AA:C5:FE:13:A0:5A:56:88:F3:F2:E7:E4:D7:14:07:DA
1HSTS (HTTP Strict Transport Security) is a header which web servers can send to indicate that clients should never connect to the site over plain HTTP (for a specified amount of time). Your browser picked up that header during one of your previous visits to www.google.co.uk
or preloaded it. One of the header's side effects is that the UI wont't allow you to ignore certificate warnings anymore by adding an exception.