Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees? 572
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
Yes they did. (Score:5, Interesting)
Yes, that is exactly what my company did. They got ratted out when they let the CA expire, but the argument was "Our hardware, our rules."
The usage rules stated something along the lines of they had the right to inspect and alter packets on the company owned network, so there you go...
No (Score:5, Interesting)
I own my company, and no... I don't do this to my employees.
I have warned people who've abused the system (I had some casual employees who spent inordinate amounts of time on Facebook, and I've had to clamp down on music downloads that could have gotten me into trouble) but I generally use HR methods rather than technological methods to take action.
Re:Maybe the company's not actually doing it? (Score:2, Interesting)
I'm not sure why they would need to do that as a routine task. It's fairly broad and consumes resources. It'd be pretty funny if you mentioned it to their IT Director and he replied with "huh?"
Actually, a well configured proxy saves resources. Caching of images can save a lot, and filtering of advertising saves a huge amount of bandwidth. Then there is the filtering of content that could expose the company to lawsuits (Like porn in a harassment suit) and legal issues, and of course, job searches on company time.
And calling it an attack is a joke. There is no middle, as the company owns everything on the network. If you have private stuff to do, use your tablet.
Re:Yes they did. (Score:5, Interesting)
And how legal is this over there?
This January, here in Portugal, things like that just became totally illegal, punishable with prison sentence.
SSL Interception (Score:5, Interesting)
Yes, it's actually extremely common. Google "SSL Interception", as that's the name of the feature that is advertised on hardware/software that performs this function.
This is why I never browse private web sites on work hardware. You simply do not know how they've mangled the machine, what all it is revealing or to whom. (That's right, most large companies actually outsource security, so all of your private account numbers and passwords are going to third parties that you don't know and never will, third parties who have been indemnified and are completely immune to any kind of action or recourse from you if they screw up.) If I want to browse the web, I use a VPN connection to my house and my own personal laptop. I don't use my work smartphone for Facebook or personal email, I have my own personal phone using my own provider. When I'm working from home and VPNed into the office, I don't use my personal workstation for any work stuff, except as a VirtualBox host for a work VM, which my company has altered through group policy and direct installation of software to be configured how they want.
It's a shame that in today's work environment we have to worry about such things, but if you think the NSA is bad about spying on you, it's small potatoes compared to what your own company does. Never trust your company to just be innocently looking for malware or other intrusion detection means. Never install any software or services on your personal equipment from your company, no matter how much more convenient it will make your life. (This includes, for example, accepting elevated permissions to connect to your work email on your personal phone.) Always assume that they're watching you, looking for anything that can be used to fire you, cancel your severance, or extort whatever they want from you, whether you're just a paean on the low rung of the corporate ladder or the CEO.
I've worked very closely with both the network and security people in a large multinational corporation, and I've seen firsthand the kinds of things they do. It ain't pretty. I've seen people leave because they have moral qualms with the kind of monitoring that goes on, and people screwed because something innocent that everyone does was turned into a major issue. I cannot emphasize this enough; never, ever, ever mix your personal life with your work life, especially when it comes to communications and technology.
Re:Yes they did. (Score:5, Interesting)
How does that work with website owner's terms of use, however?
Suppose I create a website, and say that I'm only authorizing the content on my site to be accessed by username Joe.
Joe logs into my website from his employer's computer, and his employer logs the content I send him. His employer now has unauthorized, decrypted copies of my data.
Is the employer now in violation of the laws against unauthorized computer access, and in violation of the DMCA for circumventing my copyright mechanism? Recall that Joe has no authority to loosen my copyright claims.
Re: Yes they did. (Score:4, Interesting)
If your company cannot see the contents of HTTPS communications then you're right, they're just proxying and not performing a MITM attack. That is not what we're talking about here, though -- we're talking about actual MITM attacks which let the employer examine the encrypted datastreams.
And yes, it is an attack -- even if it's legal and you can make a good case for doing it, it's still an attack. It doesn't have to be "abusive" to qualify.
Re:Yes they did. (Score:5, Interesting)
My previous company did it to:
They installed a Blue Coat proxy, and pushed to all windows computers (what normal staff was using) the configuration to use that proxy, and installed a trusted CA certificate so the proxy would be trusted.
That meant that most people didnt realize about the change, as both Explorer and Chrome used the Windows centralized certificate storage from day one.
The thing only broke for Firefox users (very few) who started getting not trusted certificate errors, and the linux machines when they set the firewall to prevent any http or htts traffic not thru the proxy. Most of those people simply started clicking on the "trust certificate" button.
A couple of weeks later they pushed an internal firefox installation and "forbid" people from installing it from the mozilla page.
Funny notes here:
a) they did it in an illegal way: in this country a company is allowed to monitor their employees network activity only if they make it very clear to them before starting to do so. They certainly did not. Actually our contracts said specifically that they did not.
b) after trying all kind of things they needed to give up on the idea of preventing any http(s) traffic off the proxy, as many tools (including EDA tools) required https connections to update and so forth and would not trust the proxy certificates. So eventually the firewall was left open for https. Who knew how to, could just work around the proxy in his own computer. All linux workstations were left connecting straight.
c) People realized and asked what was it. They lied to them with a straight face, with claims like: we dont unencrypt the proxy connections to banks, health (here we have a portal for online consultations with the public doctor and can access our medical history) or other similar private pages. This was a blatant lie anybody could check by just looking at the certificate issuing authority. They were doing it with _all_ pages.
d) they claimed this was only so they could scan for viruses in downloads. Not to monitor any activity.
e) I asked our local HR manager, she didnt have any problem telling the truth: "you are an engineer, you work on IT, you know how easy we can monitor anything we want.." and then made some funny remarks about the kind of pages people was enjoying in her previous company and how detailed usage reports she was getting. At that time I checked the blue coat page for the proxy we got installed, it could certainly log any activity in great detail.
f) My concern wasnt so much that they would monitor our activity (which was creepy), but the fact that all connections were unecrypted at the proxy. So somebody with bad intentions and access to the proxy could start collecting a lot of information. And this made the proxy a great target for hacking.
Why is this legal? (Score:4, Interesting)
As the operator of the webserver, I certainly don't consent, even if the employee had no choice..
Is there any way to detect this server-side?
Re:Yes they did. (Score:4, Interesting)
But the company I work for is Anglo-Saxon and that's a whole different kettle of bad fish...
Indeed they have a front page telling you it's their network and they reserve the right (any right) to protect it.
The proxy servers are in the UK and US, although both governments luve to gather anything and either don't have a constitution or no privacy legislation they do serve employees in other more enlightened EU countries.
One day they'll find out they are overstepping both common decency and laws.
At least in The Netherlands the Works Counsel is on it and has been able to rectify some of the grossest breaches of privacy like a top banner with a public list (log) of any and all sites visited by any individual employee, at least including the management.
In hindsight it would have been quite interesting to see who or management is interested in now there's rumour of a billion-Euro take-over :)
Re:Yes they did. (Score:5, Interesting)
Intercepting the network traffic of dishonest employees stealing company time and network access is perfectly legitimate
Why are you assuming that the employees are dishonest and stealing company time and access? My company specifically allows personal use of their network (within certain limitations), so nobody here is being dishonest.
as is the company reselling the captured personal data in the open market.
That's nowhere near legitimate, regardless of whether the employee is honest or not. That's an even greater level of dishonesty than someone checking their bank account on company time. If I found a company did that to me, I'd sue them as hard as I could, and I think I would have a decent shot of winning.
Re:Yes they did. (Score:3, Interesting)
Exactly... if you owned a network worth hundreds of millions of dollars would you let ANYTHING traverse it without your knowledge? If you did, and you got compromised, Slashdot would be all over you for being too lax in your security.
The way it works where I'm at, it's totally transparent. You have to sign something that you're ok with being monitored when you're hired, but other than that they don't really explain anything. Then the proxy gets "hits" based on your activity. Everyone gets a bad email or clicks the wrong link every once in a while so they don't want to nail people for every little thing. But once the proxy gets enough "hits" on someone a ticket is created. They don't view these encrypted files or look at your bank data at all... instead they just remotely record video of your desktop. I don't care what kind of encryption you're using at that point, they've got you if you're doing something wrong. I knew a guy that was VPNing to his home network and doing things he shouldn't off that. I guess he thought that was ok... They walked him out in the middle of his shift.
Re:SSL Interception (Score:5, Interesting)