Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees? 572
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
Yes they did. (Score:5, Interesting)
Yes, that is exactly what my company did. They got ratted out when they let the CA expire, but the argument was "Our hardware, our rules."
The usage rules stated something along the lines of they had the right to inspect and alter packets on the company owned network, so there you go...
Re:Yes they did. (Score:5, Informative)
This is very common
Very.
Your employer probably does little with this - it is usually a part of the configuration for Microsoft Forefront TMG (Formerly ISA Server). I f you have Outlook Web Access, and do any spend on MS recommended practices, then you have a TMG, and 9 out of 10 times, the "Inspection Proxy for SSL" feature.
The intent is to scrub the stream for malware attachments and malicious XML, etc. Most are set-and-forget, with little competence to exploit or understand what they have done.
Bigger corporations, or those aware of data sensitivity issues are another matter. Outbound traffic may be subject to this inspection, for DLP with something like Vontu Network Prevent. These controls are managed by folks who spend 25K on netsec, not 25 C's. :-) Then? Clever operators may be logging and trapping all kinds of info. Reports are very "compliance centric" 'tho. The DLP operator team usually has a fair amount of audit scrutiny. Usually...
Any way, TLS is irrevocably broken. It is reasonable security, trivially implemented and nearly as easily defeated. You own DNS and the path? You own the world.
I am involved in defining a new transport security mechanism for my company's products, because TLS/SSL of handwaving, and IPsec brittleness.
Re:Yes they did. (Score:5, Interesting)
And how legal is this over there?
This January, here in Portugal, things like that just became totally illegal, punishable with prison sentence.
Re:Yes they did. (Score:5, Insightful)
In the US, this is totally legal, although there may be disclosure requirements (I'm not sure). The "my system, my rules" argument wins. My workplace does this, and they informed me that they do this when I was hired.
Re:Yes they did. (Score:4, Informative)
Yup. Here it's perfectly legal if you're informed. Any time I log into a machine at work I get a banner that my employer reserves the right to monitor anything I do with their network.
Re:Yes they did. (Score:5, Interesting)
Intercepting the network traffic of dishonest employees stealing company time and network access is perfectly legitimate
Why are you assuming that the employees are dishonest and stealing company time and access? My company specifically allows personal use of their network (within certain limitations), so nobody here is being dishonest.
as is the company reselling the captured personal data in the open market.
That's nowhere near legitimate, regardless of whether the employee is honest or not. That's an even greater level of dishonesty than someone checking their bank account on company time. If I found a company did that to me, I'd sue them as hard as I could, and I think I would have a decent shot of winning.
Re: (Score:3)
Re: (Score:3)
In the US, this is totally legal, although there may be disclosure requirements (I'm not sure). The "my system, my rules" argument wins. My workplace does this, and they informed me that they do this when I was hired.
That's ridiculous, there must be some limits. The argument "my system, my rules" will not work if you were to whip your employees like slaves, so why should it hold for taking away other rights? Signing them away is a nice try, but you can't sign away all your rights.
Re: (Score:3)
I wonder what the company would say if an unscrupulous network admin steals the bank information from a bunch of employees and robs them?
I'm not sure "my system, my rules" would go very far in court.
In general, so long as the company took reasonable (not absolute) steps to implement safeguards to prevent such a theft, the law is pretty clear that intercepting and inspecting network traffic for legitimate corporate network management or policy enforcement purposes is legal.
For those that believe this sort of thing is and should be completely illegal, its not so simple. It is well within any company's prerogative to simply *block* SSL traffic at the perimeter, preventing it from being transmitted (on an
Re: (Score:3)
I'm not sure "my system, my rules" would go very far in court.
I think you would be surprised, and (IANAL but) I suspect misusing that info and / or capturing it for the purposes of fraud would be a whole different discussion.
Theres not much difference between this and bugging your own house or having an audio recorder in your own car. Your property, your rules.
Re: (Score:3)
Especially since you can use your damn Smartphone over 3g, or your personal device at a local McDonalds/Starbucks if you can't tether and avoid the whole issue.
Comment removed (Score:5, Insightful)
Re:Yes they did. (Score:4, Interesting)
But the company I work for is Anglo-Saxon and that's a whole different kettle of bad fish...
Indeed they have a front page telling you it's their network and they reserve the right (any right) to protect it.
The proxy servers are in the UK and US, although both governments luve to gather anything and either don't have a constitution or no privacy legislation they do serve employees in other more enlightened EU countries.
One day they'll find out they are overstepping both common decency and laws.
At least in The Netherlands the Works Counsel is on it and has been able to rectify some of the grossest breaches of privacy like a top banner with a public list (log) of any and all sites visited by any individual employee, at least including the management.
In hindsight it would have been quite interesting to see who or management is interested in now there's rumour of a billion-Euro take-over :)
Re: (Score:3)
Here in Norway they go even further, and the company is not allowed to read your email if it is put in a folder clearly marked private.
Personally I keep my private and work emails in separate systems, but it seems that a lot of people are using their work email for private stuff.
Re:Yes they did. (Score:4, Informative)
I don't know where you are, but in the US, that can be boiled down to 3 words: sexual harassment lawsuit. Way more damaging than someone just working half time.
Re: (Score:3, Insightful)
Why is watching 4 minutes of porn worse then 4 hours of BBC news? One giggled perhaps a bit and the other did not work for half a day. To me the second is way worse.
Straw man. Most organizations don't have a usage policy that says four wasted hours of streaming video is ok. However, many have instituted filters for porn specifically because:
1. Generic porn sites tend to also have a far higher frequency of adware and malware content than normal.
2. People have been sued for promoting a hostile workplace environment due to porn, but no one to my knowledge has been sued for promoting an overly British workplace.
3. Many companies are uncomfortable with overtly adult
Re: (Score:3)
If it's illegal to police your own network and stop unauthorizes use or activity then how do companies protect themselves from liability there?
Most American enterprises monitor their networks nothing gets in or goes out without going through something and a proxy is a very popular solution. They also usually include a disclaimer when connecting to the network or logging into a machine about monitoring, authorized use, and the possibility of prosecution for unauthorized use.
{it's more likely a company will j
Re: (Score:3)
If I'm on-call, I'm getting paid. If I'm not on-call, then I'm not checking my email.
Re: (Score:3)
yeah, and how can a company protect their staplers and other expensive stationary from being stolen if they can't strip and cavity-search their employees as they leave each night?
Re: (Score:3)
I may not like the fact that the
Re:Yes they did. (Score:5, Insightful)
For example, I have to pay travel expenses from my own money, and then get them reimbursed afterwards. That is, I may have a legitimate reason to access my bank account in order to e.g. pay my flight. But that doesn't give my employer the right to access my banking password (and possibly look what's going on in my bank account).
Also, if I'm not allowed to access my bank account from the company network, the right thing is not to decrypt it, but to block it.
Re: (Score:3)
Click Here [esurance.com] for the reference if you haven't seen it.
Re: (Score:3)
It's legal because the computer isn't the employee's. The company owns the computer sending the transmission, the copper from the computer to the inspection hardware, pays for Internet access, and writes policies that computer and Internet usage is for work-related purposes only and all usage is subject to security measures including traffic inspection.
The better question is: Why do you think using someone else's computer on someone else's network to transmit secure data over someone else's network connect
Re: (Score:3)
It's legal because the computer isn't the employee's. The company owns the computer sending the transmission, the copper from the computer to the inspection hardware, pays for Internet access, and writes policies that computer and Internet usage is for work-related purposes only and all usage is subject to security measures including traffic inspection.
Careful: the first part of that statement is false in the US its only the last part that I've highlighted that makes it legal. The US has wiretapping laws that prevent unauthorized tapping of communications. Nothing in the law refers to ownership: otherwise the phone company could listen to anyone's phone calls whenever they wanted to because they own all the gear. Even in the workplace, when you use the company computer and the company network, there are still protections in place for private communicat
Re: (Score:3)
This is where a USB LTE stick works wonders....
Re: (Score:3, Interesting)
Exactly... if you owned a network worth hundreds of millions of dollars would you let ANYTHING traverse it without your knowledge? If you did, and you got compromised, Slashdot would be all over you for being too lax in your security.
The way it works where I'm at, it's totally transparent. You have to sign something that you're ok with being monitored when you're hired, but other than that they don't really explain anything. Then the proxy gets "hits" based on your activity. Everyone gets a bad email or cli
Re: (Score:2)
Re:Yes they did. (Score:5, Informative)
Want to read your personal email, chat, facebook? Use a phone or tablet.
Re: (Score:3)
SSL Interception (Score:5, Interesting)
Yes, it's actually extremely common. Google "SSL Interception", as that's the name of the feature that is advertised on hardware/software that performs this function.
This is why I never browse private web sites on work hardware. You simply do not know how they've mangled the machine, what all it is revealing or to whom. (That's right, most large companies actually outsource security, so all of your private account numbers and passwords are going to third parties that you don't know and never will, third parties who have been indemnified and are completely immune to any kind of action or recourse from you if they screw up.) If I want to browse the web, I use a VPN connection to my house and my own personal laptop. I don't use my work smartphone for Facebook or personal email, I have my own personal phone using my own provider. When I'm working from home and VPNed into the office, I don't use my personal workstation for any work stuff, except as a VirtualBox host for a work VM, which my company has altered through group policy and direct installation of software to be configured how they want.
It's a shame that in today's work environment we have to worry about such things, but if you think the NSA is bad about spying on you, it's small potatoes compared to what your own company does. Never trust your company to just be innocently looking for malware or other intrusion detection means. Never install any software or services on your personal equipment from your company, no matter how much more convenient it will make your life. (This includes, for example, accepting elevated permissions to connect to your work email on your personal phone.) Always assume that they're watching you, looking for anything that can be used to fire you, cancel your severance, or extort whatever they want from you, whether you're just a paean on the low rung of the corporate ladder or the CEO.
I've worked very closely with both the network and security people in a large multinational corporation, and I've seen firsthand the kinds of things they do. It ain't pretty. I've seen people leave because they have moral qualms with the kind of monitoring that goes on, and people screwed because something innocent that everyone does was turned into a major issue. I cannot emphasize this enough; never, ever, ever mix your personal life with your work life, especially when it comes to communications and technology.
Re:SSL Interception (Score:5, Interesting)
Re:Yes they did. (Score:5, Interesting)
How does that work with website owner's terms of use, however?
Suppose I create a website, and say that I'm only authorizing the content on my site to be accessed by username Joe.
Joe logs into my website from his employer's computer, and his employer logs the content I send him. His employer now has unauthorized, decrypted copies of my data.
Is the employer now in violation of the laws against unauthorized computer access, and in violation of the DMCA for circumventing my copyright mechanism? Recall that Joe has no authority to loosen my copyright claims.
Re:Yes they did. (Score:5, Interesting)
My previous company did it to:
They installed a Blue Coat proxy, and pushed to all windows computers (what normal staff was using) the configuration to use that proxy, and installed a trusted CA certificate so the proxy would be trusted.
That meant that most people didnt realize about the change, as both Explorer and Chrome used the Windows centralized certificate storage from day one.
The thing only broke for Firefox users (very few) who started getting not trusted certificate errors, and the linux machines when they set the firewall to prevent any http or htts traffic not thru the proxy. Most of those people simply started clicking on the "trust certificate" button.
A couple of weeks later they pushed an internal firefox installation and "forbid" people from installing it from the mozilla page.
Funny notes here:
a) they did it in an illegal way: in this country a company is allowed to monitor their employees network activity only if they make it very clear to them before starting to do so. They certainly did not. Actually our contracts said specifically that they did not.
b) after trying all kind of things they needed to give up on the idea of preventing any http(s) traffic off the proxy, as many tools (including EDA tools) required https connections to update and so forth and would not trust the proxy certificates. So eventually the firewall was left open for https. Who knew how to, could just work around the proxy in his own computer. All linux workstations were left connecting straight.
c) People realized and asked what was it. They lied to them with a straight face, with claims like: we dont unencrypt the proxy connections to banks, health (here we have a portal for online consultations with the public doctor and can access our medical history) or other similar private pages. This was a blatant lie anybody could check by just looking at the certificate issuing authority. They were doing it with _all_ pages.
d) they claimed this was only so they could scan for viruses in downloads. Not to monitor any activity.
e) I asked our local HR manager, she didnt have any problem telling the truth: "you are an engineer, you work on IT, you know how easy we can monitor anything we want.." and then made some funny remarks about the kind of pages people was enjoying in her previous company and how detailed usage reports she was getting. At that time I checked the blue coat page for the proxy we got installed, it could certainly log any activity in great detail.
f) My concern wasnt so much that they would monitor our activity (which was creepy), but the fact that all connections were unecrypted at the proxy. So somebody with bad intentions and access to the proxy could start collecting a lot of information. And this made the proxy a great target for hacking.
Re: Yes they did. (Score:4, Interesting)
If your company cannot see the contents of HTTPS communications then you're right, they're just proxying and not performing a MITM attack. That is not what we're talking about here, though -- we're talking about actual MITM attacks which let the employer examine the encrypted datastreams.
And yes, it is an attack -- even if it's legal and you can make a good case for doing it, it's still an attack. It doesn't have to be "abusive" to qualify.
Maybe the company's not actually doing it? (Score:2)
Re: (Score:2, Interesting)
I'm not sure why they would need to do that as a routine task. It's fairly broad and consumes resources. It'd be pretty funny if you mentioned it to their IT Director and he replied with "huh?"
Actually, a well configured proxy saves resources. Caching of images can save a lot, and filtering of advertising saves a huge amount of bandwidth. Then there is the filtering of content that could expose the company to lawsuits (Like porn in a harassment suit) and legal issues, and of course, job searches on company time.
And calling it an attack is a joke. There is no middle, as the company owns everything on the network. If you have private stuff to do, use your tablet.
Re:Maybe the company's not actually doing it? (Score:5, Insightful)
The company does not own the employee, and does not own the server that the employee is talking to, and so it really is a MITM attack. The company is the middle.
Your advice is on the nose, though. It is impossible to trust any employer run system, and therefore you should never, ever do anything of a personal nature on company systems. Even if, as where I work, using the company systems for reasonable personal use is allowed.
Re: (Score:2)
Evil? (Score:2)
Yes and no (Score:3)
It's perfectly legitimate practice on a company network to intercept encrypted traffic. Security devices used for things like intrusion protection and data leakage prevention can't work properly if all you need to circumvent them is an encrypted connection, and you really want that kind of security these days if you're using a large company network, whether you're the company management, the company employees, or the company's customers/clients.
Doing it without making anyone using the network fully aware of
Re:Yes and no (Score:4, Insightful)
Sometimes watching encrypted traffic may be needed for some regulatory compliance. Of course, the best thing would be to have a terminal server set up to allow people to use their Web browser free and clear, while direct connections to the Internet would be monitored/logged. This way, personal E-mail and banking info isn't touched, while sensitive internal data is well protected.
Re: (Score:3)
Extremely.
For now, set aside the question of whether it's acceptable to monitor your employees' encrypted traffic on your network.
Technologically, it's a terrible idea. The client software and the end user no longer have any ability to inspect the actual certificates used for an HTTPS connection. From the client's perspective, all HTTPS connections are really with the MITM device and use the same cert chain. (Well, a dynamically-generated cert for the appropriate site signed by the same trusted CA using, pr
Re: (Score:2)
Re:Evil? (Score:4, Insightful)
Pretty evil when you figure that people routinely think little of jumping onto their bank's website and checking their account balance. I mean it is one thing to disallow that... it makes you a huge prick of course, but to MITM silently so anyone who does it is risking their personal financial data? That is absolutely unconscionable.
Not so evil since the company is responsible for what you do with their equipment and internet connection, so they often monitor your usage for things like preventing data leakage (which could result in large penalties against the employer) and browsing inappropriate web sites (if a coworkers sees you surfing porn, the *company* may be liable for allowing a hostile workplace).
With modern smartphones and cellular enabled tablets, there's no reason to do your personal browsing on your employer's network. If you don't want your employer to see it, don't do it on their equipment/network.
Re: (Score:2)
With modern smartphones and cellular enabled tablets, there's no reason to do your personal browsing on your employer's network. If you don't want your employer to see it, don't do it on their equipment/network.
True up to a point, but the moment anyone mentions the phrase "bring your own device" and anyone from your company touches your employee's private property, a whole bunch of similar issues are going to come up.
BYOD can get complicated (Score:3)
In the real world, BYOD isn't always that simple. The moment an employer encourages their employee to do something on their own device rather than provide dedicated company equipment, there are issues of who has what access, who is responsible for what, etc. There are entire businesses making tools and consulting in this field right now, because that is how big a minefield it is becoming.
Re: (Score:3)
That's a bit of an outdated attitude. Any "secure corporate network" has dozens or even hundreds of compromised client devices on it at any moment (and possibly a compromised employee or two). Not allowing personal devices doesn't increase security all that much. On the other hand, the benefits of BYOD are accepted by most companies that employ knowledge workers. Most places I've worked (some were really big corporations) simply require an employee to sign an acceptable use policy before connecting.
Let me t
Re:Evil? (Score:5, Insightful)
Honestly I WOULD entirely agree if not for the MITM aspect.
If they really want to do that, setup a proxy and whitelist allowed sites. Deny SSL connections. Fine. Silent MITM attacks expose people in an unsuspecting manner; in ways that its unrealistic to expect most employees outside of IT to understand.
Re: (Score:2)
Re:Evil? (Score:5, Insightful)
At my last job I did this to a limited extent. I decrypted filesharing sites and services so that I could scan files for viruses at the gateway before they made it to a computer. However, financial and medical industry sites were specifically excluded from decryption, due to the liability issues, and we publicized the fact that we were scanning encrypted traffic.
There are genuine uses for the technology. More and more sites are going to SSL all the time. That makes impossible to sniff the traffic for virus and intrusions. For schools and libraries, many of which are required to filter for content, unencrypted SSL prevents the content filters from working correctly. I expect that more employers will turn to this in the near future. Doesn't everyone expect
Re: (Score:2)
No (Score:5, Interesting)
I own my company, and no... I don't do this to my employees.
I have warned people who've abused the system (I had some casual employees who spent inordinate amounts of time on Facebook, and I've had to clamp down on music downloads that could have gotten me into trouble) but I generally use HR methods rather than technological methods to take action.
Re: (Score:2)
It doesn't have to be a question of abuse, it's more a question of security. If your firewall/intrusion detection systems don't decrypt SSL, they can't scan it for viruses/malware/intrusions/etc.
Re: (Score:3)
That's true. All our desktops run Linux so we are at somewhat lower risk for most malware than Windows shops. I understand that it's still not completely foolproof, but so far we haven't had a problem.
DING DING DING!!! (Score:5, Insightful)
You, sir (or ma'am), are doing it right. This is precisely the thing that gets me so mad at companies today, that they view these issues as an IT problem, not an HR problem. So they spend hundreds of thousands of dollars (sometimes millions) in hardware, software, salaries, support contracts, and lost time when shit breaks, just so that management 1) won't have to do their jobs--you know, managing people, and 2) will have plausible deniability when someone does do something stupid. ("It's not my fault for not making sure my workers were working on what they were supposed to and not violating company policy; IT should have blocked that site!!!")
It's refreshing to see someone who actually gets where company policies should actually be enforced and where responsibility really ought to lie when there are gaps. Thank you!
Re: (Score:3)
I have never fired someone for abusing our Internet policy. I've issued warnings, though.
Re: (Score:3)
At some point, why not? Verbal warning #1, verbal warning #2, written warning, written Corrective Action Plan with consequences up to and including termination, and for the *really* slow learners, termination.
At a manager, at some point you start thinking "Am I better off sinking more of my time into this clown, or with an open hiring req?" I've had a couple of occasions where the open hiring req was the more attractive option.
Not MITM (Score:4, Insightful)
Re:Not MITM (Score:5, Insightful)
Re: (Score:3, Funny)
Oh the end-user was undoubtedly notified of it, probably somewhere at the bottom of their contract, in tiny writing, after the section about the lavatory and in a sentence beginning with "Beware of the leopard".
Beware of the leopard^W lion^w mavericks (Score:4, Funny)
and in a sentence beginning with "Beware of the leopard".
I don't see why the contract has to declare the version of Apple BSD on which the trusted proxy runs. Otherwise, they'd need to get everyone to sign off on "Beware of the mavericks".
Re: (Score:2)
This is a Man-in-the-Middle if the end-user is not notified of it.
But he was notified. He got the broken cert. And employees probably got notice in that packet they did not read.
Re: (Score:3)
He got a broken cert because he used his own computer. If you used a computer of that corporation it would have the cert bundled and you would never know that your SSL connection was being snooped.
In the limit they could even intercept when you are downloading a browser and inject their own malware version of it. Although this seems like too much trouble.
Re: (Score:3)
Technically, it's a MITM attack even if the user is notified of it.
Re: Not MITM (Score:2)
trusted proxy
Trusted by whom? I certainly don't trust a MiTM proxy, even when it has the word "trusted" in its name.
Re: (Score:2)
trusted proxy
Trusted by whom? I certainly don't trust a MiTM proxy, even when it has the word "trusted" in its name.
Trusted by the people who own the computer.
Re: (Score:2)
Then you shouldn't install its signing certificate on your computer.
In a work environment, I may not have that option.
Comment removed (Score:4, Insightful)
Re:Not MITM (Score:5, Informative)
Yup. But proxies cannot handle HTTPS unless... they are acting as a MITM.
The proxy must either pass it along, block it outright or essentially stand in the middle so as to be able to perform all the usual filtering/sniffing/etc. it would do were the traffic plain ole' HTTP.
Re: (Score:2)
Pass the blame to employees visiting such sites (Score:2)
in many countries regulations prevent snooping of traffic to websites related to health or banking
Watch for language in your employment agreement to the effect: "Employees outside the group health insurance and financial departments MUST NOT access health or banking sites through the company network."
Re: (Score:2)
Except, of course, for websites not recognized by the proxy as containing "banking" or "health" information.
Re:Not MITM (Score:5, Informative)
A trusted proxy is a "Man in the Middle", so I presume your objection is to the word "attack"? Whatever you choose to call it, the fact is that SSL certificates are transparently being rewritten in order to capture data each website's SSL certificate was meant to stop from being captured. "Trusted proxy" is just a friendly euphemism which attempts to justify what may or may not be a legitimate practice, depending on what's being collected and whether or not the users are, in fact, specifically aware of it.
Re: (Score:3)
*Note that all of my comments are about computer security, not acceptable corporate behavior. Whether this is a case of corporate douchebaggery is a separate issue. I didn't comment o
Re:Not MITM (Score:5, Informative)
At a former employer, we produced firewall hardware where this was SPECIFICALLY available as a feature. In fact, I developed the software for it. The certificates provided by the external servers are resigned by a CA cert installed on the appliance which is accepted by client machines behind it. Our equipment allowed the option of generating an internal CA cert, which would then be exported to all clients; generate a Certificate Signing Request, which could be signed by a CA already trusted by clients and imported back to the appliance (if the organization had it's own PKI infrastructure); or allow a resigning certificate and key to be imported.
The justification is simply this: "Our network, our traffic."
The practical reasons for this are to permit the firewall to do virus scanning on encrypted web pages and email (I handled SMTP STARTTLS and SMTP/SSL as well).
At least as far as the work I did went, there was no official way to take the plain text traffic off the appliance - it was not "designed" to snoop on employee traffic, though if someone managed to hack the appliance this would be theoretically possible.
Of course, if you are a contractor or employee concerned about the confidentiality of your traffic, you should exercise due diligence with regard to the CA's your machine trusts.
In our case, we DID have the capability to specify domain names for which this resigning would not be done: those that were "trusted" by the organization installing the firewall. This made it possible to go the extra mile and make some banking site traffic secure end-to-end, but it was on a site by site basis.
As I recall, I left the employ of this company prior to SNI support ever being implemented (we barely supported TLS 1.1, and certainly not TLS 1.2 when I was there, much to my protestations, and SNI is a TLS 1.2 Client Hello extension).
The appliance could also be used in a reverse-fashion: protecting web servers (but not virtual ones, for lack of SNI support, unless they shared a domain name), where it could just do SSL termination, with the site-specific certificate (presumably signed by a CA trusted by most browsers), though we allowed resigning here as well, in the event the internal traffic had to remain encrypted.
Re: (Score:3)
HTTP Proxy, SMTP Proxy "encrypted traffic" features. (There was also an HTTPS proxy, but all it did was drop connections to destinations on a blacklist by domain name as specified by the certificate the remote server provided: it did not decrypt, reencrypt, and resign).
It properly IS a proxy since it proxies the traffic for you. Whether you consider that a MITM attack on encrypted traffic depends on whether you trust the proxy or not.
SSL does not prevent MITM attacks: it just makes MITM mangling of encrypte
I suspect... (Score:4, Informative)
Re: (Score:3)
Re: (Score:2)
It doesn't necessarily mean they're doing anything nefarious.
I either do not expect the company to be doing anything nefarious, but on this day and age of data surveillance, I'm glad that an alarm bell rings in people's minds.
More likely an IPS (Score:5, Informative)
It's more likely they are running the traffic through and IDS/IPS rather than logging everything. It's also likely that well know banking sites are excluded and just passed through. It does use quite a lot of resources to scan the traffic after all.
IDS/IPS https://en.wikipedia.org/wiki/... [wikipedia.org]
Necessary sometimes (Score:2)
In some cases you need to know everything that is going out the door. For example if your company is the target of industrial espionage the last thing you want is your trade secrets going out through your firewall.
I would expect a lot of companies are doing this along with other similar measures.
It happens here (Score:2)
We deal with highly sensitive client data. All network traffic is inspected. The employees are well aware of it because it is explicitly mentioned during new hire orientation / on boarding.
Paranoia (Score:5, Insightful)
My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees
A completely baseless assumption. I have worked with several organizations who do this "attack" to protect themselves from malicious traffic. I have not yet seen any that logged content. The legal and regulatory risks in doing this are too high to do this sort of data collection.
How can I check? (Score:2)
I don't know if my company does this. I wouldn't be surprised if they do; many folks have already mentioned reasons why it might be desirable (for them) that aren't malicious.
But I want to know whether it's happening so I can decide if I want to change my behavior. How would I go about checking for such things on a Windows 7 Professional laptop?
Yes (Score:2)
Happens in more paranoid outfits (Score:3)
A previous employer, a game company whose name rhymes with lizard, uses MITM proxy ... All their machines use their custom cert so that their made-up cert shows 'green' on the location box when any user uses a secure web site.
Just don't use the employer's Internet (Score:3, Informative)
Shesh, Really? Man in the Middle "attack" ? Give me a break.
If you are using an employer's resources to surf the internet just figure that *everything* you do is monitored. If you don't want to be monitored, GO HOME. If you don't trust your employer, GO HOME to do anything you don't want them to see. GO HOME or use your own internet access.
Don't try to make this into some "privacy" issue. It's not.
Re: (Score:3)
Because it's NOT an attack, It's an employer monitoring the use of it's resources by it's employees.
If they are paying for the internet access, paying to have a proxy installed, paying to have the browsers on their machines set up to trust their certificates, they are doing it to themselves. It's not an attack, or a hack or anything of the sort, it's there to monitor the systems they own which is their right. They can do what they want to the traffic entering/exiting their network, including using proxy
My company does this (Score:4, Informative)
So we know it's happening - it's not really "hidden" - so I'ts up to me if I want to use Facebook or GMail or whatever - knowing the connection could be snooped. If I don't like it - I can simply not use those services from work.
Why is this legal? (Score:4, Interesting)
As the operator of the webserver, I certainly don't consent, even if the employee had no choice..
Is there any way to detect this server-side?
It is VERY common (Score:3)
This is very common in the military and in defense contractors, and it happens elsewhere too. There is a reason for it. Many of these organizations are worried about malicious stuff going in and/or exfiltration of non-public data going out. Employer MITM makes it easy to examine every packet for these kinds of things (to counter them). In the US, at least, it's generally accepted that employer equipment is owned by the employer, and thus they expressly have the authority to examine what goes over their own network... and as a condition of employment or computer use you probably signed something agreeing to this. I'm not a fan of this approach, but it certainly happens.
Open source software that implements crypto protocols (e.g., SSL or SSH) will (correctly!) report that there's a MITM attack. So if you want to actually *use* the software in such settings, someone has to configure the software to trust the MITM. Some admins will do this automatically. If not, you may need to do it yourself. E.G., on Firefox, install the organization's certificate.
You configure Linux systems to work in these environments, but since the certs are often files in Windows aka DOS aka CP/M format, you need to convert the files as well as put the into somewhere useful. Here's one way to deal with it.
On Fedora, given a bunch of .crt files, you can do this:
dos2unix *.crt ; cat *.crt >> /etc/pki/tls/certs/ca-bundle.crt
On Ubuntu, you can do this given a bunch of .cer files:
dos2unix *.cer ; rename 's/.cer$/.crt/' *.cer ; ca=/usr/share/ca-certificates ; mkdir -p $ca/MYORG ; cp *.crt $ca/MYORG ; cd $ca ; ls MYORG/* >> /etc/ca-certificates.conf ;
update-ca-certificates
You could avoid appending to the file if you want to, but I'll leave that as an exercise for the reader.
Many hotels do this too (Score:3)
Many of the hotels I've stayed in iver the years, both major chains and smaller boutique hotels, and in several countries, have attested to MiM my secure mail server or http a sessions. Similarly I caught the Qantas lounge in Sydney trying this a few years ago. I never use hotel internets any more or airline lounges' wifi - it's just too creepy.
Re: (Score:3, Informative)
Re: (Score:2)
It's true that his sort of system needs to be set up carefully, and probably with the aid of both technical and legal advice if the administrator isn't an expert in this area.
Saying that, with a properly configured set of devices, it is possible to pass encrypted traffic through a security device that temporarily decrypts the data to scan it but never logs or discloses the full data set itself, so nothing sensitive is ever recorded or put in front of human eyes. There is also technology available that will
Re:HIPAA violations? (Score:5, Informative)
Also, it's worth noting that the kinds of devices that do this are often used for compliance with rules like HIPAA or PCI DSS. You can't demonstrate that you aren't allowing sensitive data out of a supposedly secured part of your network if you can't actually see what you're allowing out of it...
Re: (Score:2)
If they do decrypt personal traffic, would they be responsible for any medical data they intercept, thus triggering HIPAA?
Not if they tell you not to use the corporate network for personal business.
Re: (Score:2)
>
Don't expect privacy on a work PC.
The fact that people still do not get this amazes me!
pointless political attack (Score:2)
The message has been, if you want privacy, use your mobile device (and don't vote for Democrats and their spy programs).
Do you honestly think that a Republican government wouldn't do just as much spying?
Re:Very Common (Score:4, Funny)
Let me guess. Your corporation has an 'exception' to the professional conduct guidelines when management computers are involved.
Re: (Score:3)
Of course you have rights. So does your employer. And using your employer's network gives your employer the right to see what is traveling over his network.