This ISP (True Internet - AS7470 and AS17552 ) already intercepts http traffic using transparent proxy since quite some time.

There were rumours recently that Thai ISPs would start intercepting https and making users install their TLS certificate. But I have not seen any evidence of it personally, nor have I heard of anyone who got certificate hijacked while browsing.... So its likely a proxy in the probe host's local network.

On Sat, Aug 1, 2015 at 11:36 PM Andrew Bosch <andrewbosch@comcast.net> wrote:

The Fortinet name in the certificate suggests a firewall or proxy that is
intercepting traffic from the probe.

-----Original Message-----
From: ripe-atlas [mailto:ripe-atlas-bounces@ripe.net] On Behalf Of Stephane
Bortzmeyer
Sent: Saturday, August 1, 2015 10:36 AM
To: ripe-atlas@ripe.net
Subject: [atlas] Strange certificates at probe 17009

Probe #17009, located in Bangkok, when asked to perform a "sslcert"
measurement, always retrieve a certificate whose expiration date is
2024-10-31, whatever the target is. There is probably a
man-in-the-middle before the probe...