It looks very much like the modem is acting as a man-in the-middle to an https protected site.
To add complexity to this I found:
I had inadvertently left the Guest network running for a week
my wife's laptop was connected to the Guest network
her laptop was routing to a different gateway IP (found via first hop in traceroute)
our modem had taken additional IPs that I was not aware of:
The gateway I had configured: 192.168.174.1
The additional gateways that the modem "camped out upon" seem to be: 192.168.100.1, 192.168.101.1, 192.168.102.1, 192.168.103.1
Superficially, I would think "I left the Guest network on, got compromised". But I find it strange that the cert being used is a cert provided by the modem and that the modem has multiple (hidden) gateways.
My questions are:
has anyone heard of this attack?
Could this be anything other than an attack? Does the Hitron Modem have multiple gateways? Does it use a different gateway for the Guest network?
Thank you for an interesting post. I'm assuming the domain extension of the website address your wife was trying is "dot ca" not "forward slash ca". It's possible the browser was not able to reach the resource if "forward slash ca" was being used and resulted in the certificate error.
We haven't heard this certificate error on our forums so far.
Community - please chime in and share your expertise on this matter.