CRT certificate -- what are the risks?

[shmu26]

There is a certain ISP that provides content filtering at various levels, as per the user's personal preferences, and this filtering is at the ISP level, it is not performed on the user's personal device.
They ask users to install a CRT security certificate.
How severe is the security risk?
I am not overly concerned about privacy issues, such as someone knowing what websites I visit etc.
I am more concerned about actual security issues, such as safe banking, protecting logon credentials, etc.

 

[larry goes to church]

To begin,

Your ISP is routing all of your traffic so you they have full visibility of everything you send already.
This is why people use VPNs.


I'm not exactly sure why they would want you to install a certificate though.

 

[shmu26]

To begin,

Your ISP is routing all of your traffic so you they have full visibility of everything you send already.
This is why people use VPNs.


I'm not exactly sure why they would want you to install a certificate though.

Without the certificate, certain websites are hard or impossible to log onto

 

[Ink]

Any details on the CRT Certificate, or ISP?

 

[shmu26]

Any details on the CRT Certificate, or ISP?

The ISP is an Israeli one, I am sure you never heard of it: Internet Rimon.
The certificate, well, they give you an exe file to run, it installs a file named RimonCrt.exe.
I also found this path on my computer:
C:\Windows\System32\Tasks_Migrated\RimonCrt

 

[Winter Soldier]

Not sure of your specific case, but
many root certificates are preinstalled in the computer and this protected list is managed by well-known manufacturers (Microsoft, Apple, Google...).
The security risk occurs when in this list is installed an untrusted certificate so that all the child certificates generated, will become trusted. Then a possible suspect site will be protected (padlock) and trusted (without warning).
Who can tamper with the list? On your PC it can be altered voluntarily by the user, by a malware or by the administrator of the domain if the PC is connected to a corporate network...but certainly not from your ISP.
I assume your ISP will have taken all necessary measures to ensure your safety.

 

[shmu26]

Not sure of your specific case, but
many root certificates are preinstalled in the computer and this protected list is managed by well-known manufacturers (Microsoft, Apple, Google...).
The security risk occurs when in this list is installed an untrusted certificate so that all the child certificates generated, will become trusted. Then a possible suspect site will be protected (padlock) and trusted (without warning).
Who can tamper with the list? On your PC it can be altered voluntarily by the user, by a malware or by the administrator of the domain if the PC is connected to a corporate network...but certainly not from your ISP.
I assume your ISP will have taken all necessary measures to ensure your safety.

Rimon does not go into the list of root certificates, at least, I didn't find it in there.

EDIT: In the past, I was using Rimon, and I didn't know about their certificate, and I had issues with logging onto secure sites. I think I had trouble with MT, actually. Then someone told me about their certificate, which alleviates that problem.
This morning I discontinued the service, for other reasons, but the whole thing remains a mystery to me.
I saw someone on a Hebrew language Linux forum who went ballistic about the enormous security and privacy issues with this certificate, but I am not convinced he even knew what he was talking about. You know, sometimes the linux enthusiasts can get a little carried away about privacy issues...