Before transferring encrypted data (HTTPS), a web server proves its identity to your browser by sending its security certificate (its identity card) (see phase 1 of the diagram below). This certificate has been validated (signed) by a certification authority recognized by your browser.
Man In The Middle (MITM) interception techniques dynamically generate false certificates that have not been validated by a recognized authority. However, scenarios do exist to force your browser to accept these false certificates (3 of them are presented below). CheckMyHTTPS allows you to verify that the certificate you receive is indeed the one issued by the server.

Many of the security devices deployed in companies (firewalls, proxies, intrusion prevention systems, etc.) incorporate a feature that enables them to inspect SSL/TLS encrypted flows (HTTPS, POP3S, SMTPS, xxxxS). When this feature is activated (sometimes by default), all outgoing secure data flows are decrypted by this equipment. In the interests of privacy, users must be made aware of this feature (by signing an IT charter, for example).

The administrator can enable the 'SSL/TLS inspection' in the admin panel of the firewall. Beforehand, the firewall certificate will have been installed on the computers of the network (via a GPO for example) in order to eliminate the alert messages in WEB browsers.

The firewall can then store the data unencrypted. These data can be viewed/extracted (without your agreement) by the administrator.

In the following example, the CheckMyHTTPS module has detected (red padlock) that the certificate received by 'Microsoft Outlook'® (forged dynamically by the firewall) differs from the certificate send by the mail server (login.live.com). It is thus the proof of an interception SSL/TLS.

Techniques for maliciously intercepting encrypted data streams are now mature and well-documented. Thus, a hacker connected to the same local network as you (wired or WIFI), whether domestic or corporate, can exploit these techniques to intercept, analyze or modify your secure data flows. To prevent your browser from noticing that the certificates are forgeries, it will first attempt to present you with web pages urging you to install its certification authority. If its attack is successful, CheckMyHTTPS will still detect the SSL/TLS interception and display a red padlock.

Many anti-malware (or EDR/XDR) programs installed on computers/GSMs, such as Avast!® or Kaspersky®, intercept and decrypt your SSL/TLS-secured data streams. Software vendors justify this behavior by the need for protection, even within encrypted flows. This allows their software to gain unencrypted access to your protected data. To prevent browsers from reacting to this local MITM interception technique, these programs add their certification authority to browsers when they are installed.