Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees? 572
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
Not MITM (Score:4, Insightful)
Re:Not MITM (Score:5, Insightful)
Comment removed (Score:4, Insightful)
Re:Evil? (Score:4, Insightful)
Pretty evil when you figure that people routinely think little of jumping onto their bank's website and checking their account balance. I mean it is one thing to disallow that... it makes you a huge prick of course, but to MITM silently so anyone who does it is risking their personal financial data? That is absolutely unconscionable.
Not so evil since the company is responsible for what you do with their equipment and internet connection, so they often monitor your usage for things like preventing data leakage (which could result in large penalties against the employer) and browsing inappropriate web sites (if a coworkers sees you surfing porn, the *company* may be liable for allowing a hostile workplace).
With modern smartphones and cellular enabled tablets, there's no reason to do your personal browsing on your employer's network. If you don't want your employer to see it, don't do it on their equipment/network.
Paranoia (Score:5, Insightful)
My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees
A completely baseless assumption. I have worked with several organizations who do this "attack" to protect themselves from malicious traffic. I have not yet seen any that logged content. The legal and regulatory risks in doing this are too high to do this sort of data collection.
Re:Yes and no (Score:4, Insightful)
Sometimes watching encrypted traffic may be needed for some regulatory compliance. Of course, the best thing would be to have a terminal server set up to allow people to use their Web browser free and clear, while direct connections to the Internet would be monitored/logged. This way, personal E-mail and banking info isn't touched, while sensitive internal data is well protected.
Re:Evil? (Score:5, Insightful)
At my last job I did this to a limited extent. I decrypted filesharing sites and services so that I could scan files for viruses at the gateway before they made it to a computer. However, financial and medical industry sites were specifically excluded from decryption, due to the liability issues, and we publicized the fact that we were scanning encrypted traffic.
There are genuine uses for the technology. More and more sites are going to SSL all the time. That makes impossible to sniff the traffic for virus and intrusions. For schools and libraries, many of which are required to filter for content, unencrypted SSL prevents the content filters from working correctly. I expect that more employers will turn to this in the near future. Doesn't everyone expect
Re:Evil? (Score:5, Insightful)
Honestly I WOULD entirely agree if not for the MITM aspect.
If they really want to do that, setup a proxy and whitelist allowed sites. Deny SSL connections. Fine. Silent MITM attacks expose people in an unsuspecting manner; in ways that its unrealistic to expect most employees outside of IT to understand.
Re:Evil? (Score:2, Insightful)
Honestly I WOULD entirely agree if not for the MITM aspect.
If they really want to do that, setup a proxy and whitelist allowed sites. Deny SSL connections. Fine. Silent MITM attacks expose people in an unsuspecting manner; in ways that its unrealistic to expect most employees outside of IT to understand.
Blanket SSL blocking won't work -- employees often *need* to use SSL to do their job (i.e. Finance needs to connect to the bank websites, employees need to use SSL protected logins at other sites - most any site that allows logins will require SSL).
No one has time to compile a big whitelist for every site that an employee might need to connect to, which is why the decrypting proxies are so popular -- if you can inspect and do malware scanning on every site, there's no need to make an employee submit a form and wait for someone to test the site to see if it's a valid work related site. And a whitelist doesn't solve the problem of data leakage if a whitelisted site can enable that leakage. The company may allow access to Gmail so employees can check email (they may even use Gmail themselves for email), but they still want to inspect outgoing data to make sure an employee hasn't inadvertently (or purposely) tried to send an email with protected data.
A well managed decrypting proxy is a limited risk to employees. While a poorly managed proxy may be a risk, a poorly managed desktop computer is also a risk if it's been infected by Malware. Either you trust your employer's IT department to run a secure network or you don't.... and if you don't trust them, then don't use their network or equipment.
Re:Yes they did. (Score:5, Insightful)
In the US, this is totally legal, although there may be disclosure requirements (I'm not sure). The "my system, my rules" argument wins. My workplace does this, and they informed me that they do this when I was hired.
Re:Maybe the company's not actually doing it? (Score:5, Insightful)
The company does not own the employee, and does not own the server that the employee is talking to, and so it really is a MITM attack. The company is the middle.
Your advice is on the nose, though. It is impossible to trust any employer run system, and therefore you should never, ever do anything of a personal nature on company systems. Even if, as where I work, using the company systems for reasonable personal use is allowed.
Comment removed (Score:5, Insightful)
DING DING DING!!! (Score:5, Insightful)
You, sir (or ma'am), are doing it right. This is precisely the thing that gets me so mad at companies today, that they view these issues as an IT problem, not an HR problem. So they spend hundreds of thousands of dollars (sometimes millions) in hardware, software, salaries, support contracts, and lost time when shit breaks, just so that management 1) won't have to do their jobs--you know, managing people, and 2) will have plausible deniability when someone does do something stupid. ("It's not my fault for not making sure my workers were working on what they were supposed to and not violating company policy; IT should have blocked that site!!!")
It's refreshing to see someone who actually gets where company policies should actually be enforced and where responsibility really ought to lie when there are gaps. Thank you!
Re:Maybe the company's not actually doing it? (Score:2, Insightful)
It isn't an attack, it is a proxy. The company's node (computer) is configured to use the company's proxy to get out to the Internet. The connection to the end system is between the company's proxy and the end system. The user has no equipment in play.
Where I work (U.S. Gov't Agency) does this, though they exempt links to known online banking addresses.
Employees are trained annually and sign papers acknowledging they understand what is going on. Don't like it? Don't work here. Or, as most people do, use your own device on a cellular connection and don't use the company's equipment or network.
Re:Yes they did. (Score:5, Insightful)
For example, I have to pay travel expenses from my own money, and then get them reimbursed afterwards. That is, I may have a legitimate reason to access my bank account in order to e.g. pay my flight. But that doesn't give my employer the right to access my banking password (and possibly look what's going on in my bank account).
Also, if I'm not allowed to access my bank account from the company network, the right thing is not to decrypt it, but to block it.
Re:Yes they did. (Score:2, Insightful)
I wonder what the company would say if an unscrupulous network admin steals the bank information from a bunch of employees and robs them?
I'm not sure "my system, my rules" would go very far in court.
Re:Yes they did. (Score:2, Insightful)
Likewise, why are you assuming that the employer is dishonest and stealing employee info? As has been pointed out, there is a legitimate reason for doing this (scanning and blocking malware being distributed over https, like in email).
To reach the conclusion that the employer is doing this because they think the employees are dishonest, you must first arrive at the conclusion that the employer is dishonest. Which seems like a double standard. Either assume they're both honest until proven otherwise, or assume they're both dishonest. Why is one presumed innocent until prove otherwise, while the other is presumed guilty until proven otherwise?
Re:Yes they did. (Score:3, Insightful)
Why is watching 4 minutes of porn worse then 4 hours of BBC news? One giggled perhaps a bit and the other did not work for half a day. To me the second is way worse.
Straw man. Most organizations don't have a usage policy that says four wasted hours of streaming video is ok. However, many have instituted filters for porn specifically because:
1. Generic porn sites tend to also have a far higher frequency of adware and malware content than normal.
2. People have been sued for promoting a hostile workplace environment due to porn, but no one to my knowledge has been sued for promoting an overly British workplace.
3. Many companies are uncomfortable with overtly adult and pornographic media in the workplace in general, irrespective of lost time.
4. Its possible to envision situationally justifying viewing BBC news in many corporate environments, putting it in the grey area of possibly legitimate usage. Its almost never possible to envision a similar situation occurring for porn.