Slashdot Mirror
Ask Slashdot: What's Your Take On HTTPS Snooping?
First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"
Chances are they will whitelist any sites that may contain personally identifiable information such as banking sites etc. Most places do not want to get into privacy issues like this. Anything else is fair game. Personal e-mail might be a different story, but then again, in some verticals like finanicials, you should not be accessing personal e-mail anyway, per policy of most financial houses. Personal e-mail and the like are avenues for information to easily leave the firm.
Simple as that.
Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.
Data leakage.
We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.
We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.
But your Gmail is fair game.
In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.
Are you stupid or a really bad troll ?
Their network, their rules. You have no right to expect privacy for work or non-work related activities on their systems.
I am becoming gerund, destroyer of verbs.
Don't do your personal through your work network might be a good place to start.
If you don't want them to see what you're doing, don't do it on their box.
Do it at home, on your own equipment like the rest of us.
The fact that you're using IE and isn't allowed to change the certificate store tells me that you don't have admin privileges. If that's case, then your company can already log your every key stroke, so I don't see how HTTPS packet inspection is any more intrusive.
I just avoid doing banking or sensitive transactions on computers that isn't administered by myself or someone that I trust.
They own the network.
They have told you there is no privacy on it so you have no resonable expectation for such privacy.
It's their network, provided so you may perform their job function, not do personal stuff on the company dime.
Get over if or find an employer willing to let you do personal stuff on their dime and network.
Did I mention it's their network and they are entitled to monitor what you do with their property?
would have been helpful to include integration and pricing info as well, but i was able to locate that without too much trouble. thanks!
Their computers, their network, their rules.
I assume that they have disclosed the fact that your SSL traffic is being intercepted and stored so that you do not hand over your personal data (including financial and medical) to your employer without your knowledge.
With that said, what is motivating this company to be so paranoid? How much data are they storing and how are they analyzing it? Are there any obvious flaws (i.e. alternative port number)? What about ssh traffic?
If they don't trust you, you shouldn't trust them. If they're trying to snoop on you for whatever reason, they think you're a criminal. Would you work for the RIAA? Would you work for a boss who every time you come in he says "you're a criminal" and then proceeds to look over your shoulder all day? No and you shouldn't accept such behavior from employers.
Custom electronics and digital signage for your business: www.evcircuits.com
There are various reasons why you should not be using your employers computers for personal use. One is that you are using company resources for non-business purposes. And that is something that you don't do unless you have your boss' blessing.
I think that this may well be illegal, because even if you consent, the server at the other side of the connection hasn't consented. That means that at least one party to the communication is having their encrypted data intercepted and decrypted by a third party without their knowledge or consent. Wiretap laws apply to both communicating parties. Not aware of any case law, someone needs to actually Sue cisco bluecoat or one of the other ssl intercepting proxy makers to establish legality.
Just do your banking over your phone's carrier network. Your employer can't go there (can they?)
You can't be secure unless you control your egress. If you just let https streams go anywhere with no visibility into their content you might as well just set the firewall to allow all out bound connections. If there is ANY concern about information as an asset, you must intercept and decrypt https.
Your company more than likely has a policy that any use of their equipment is supposed to be for job related purposes, I don't think regular employees should have any expectation you are not watching everything they do on the PC provided by the company.
Usually the certificates are pushed through group policy, anyone else who shows up with their own device or other companies property will get a certificate warning, if they look at the certificate its going to show it was signed by your company. They can make an informed decision about what they want to do knowing they are being watched. So I don't see a problem there.
One thing that gets over looked with SSL intercept is YOU become responsible for the forward authentication and encryption between your proxy since the client now has no opportunity to verify the certificate itself. So you HAD BETTER BE DOING revocation checks and making sure the proxy has a sane list of trusted roots, and serve clients some kinda error page if you can't trust the certificate.
Don't quit you job. Deal with the fact that with all the spy ware and things like flame going on this is what business must do to protect themselves. Do you banking/medical correspondence/etc at home.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I agree with this sentiment 100%, but I also feel strongly that it's the employer's duty to tell their employees that it is company policy to do this. It may be within their legal rights to do this without informing their employees (IANAL), but I would not want to work for an employer who does that. doesn't jibe with my personal ethics.
You have zero expectation of privacy at work. Do you think it's fair to sit on Facebook all day while at work or even pay your bills?
Mostly I hear questions like this at work from people who are just getting their first job and who seem to think they have this sense of entitlement with regards to everything. Face it, the job market sucks right now and for anyone just entering it, you're at the mercy of employers who have the luxury right now of many more qualified applicants than open positions. If you're using their computer and their network, you play by their rules. You are a wage slave just like all the other people in your building.
With regards to whether you should quit your job, only you can answer that. I can tell you there are plenty of good places to work that don't do anything like that, but only you can answer whether or not it's worth working at one of them.
----- obSig
Are you using their equipment, their network, their bandwidth, their physical space?
Even if the computer is yours, its still their network, bandwidth, and physical space. This means they are bending over backwards to even let you go to personal websites like your bank.
Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
Are you also okay with the company listening to every phone call you make? How about reading every piece of mail you send? Or perhaps eavesdropping on your conversations? What if they come up with a way to read brainwaves? That acceptable, too?
When using a computer not owned by you (you might go so far as not used solely by you), you have to assume everything you do on it is being monitored, either by design (snooping/logging) or accidentally (because someone using it ended up getting a keylogger). This should be standard security procedure: if it is not your computer, you have no idea where what you type into it is going.
Great Intellect...
So here's the unpopular answer. It's their network. As an employee you have no inherent right to having unfiltered Interent access as an employee. If you don't like it, use your smartphone, bring a personal laptop and an 3G card, etc. Lots of alternatives if you don't want to be snooped. Unfortunately they all cost you money or inconvenience you in some way but hey it would cost the company money as well to provide what is in theory extra bandwidth for you to do your personal stuff.
Here's the real kicker. The company is the one that is at risk by not monitoring. You surf child porn, it gets traced back to them. You download illegal software, it gets traced back to them. You steal company secrets and they have to explain to shareholders how they provided the means for data to be stolen but didn't bother to put any monitoring in place to prevent it from happening.
What you seem to want is the equivalent to a door in the back of the building with no locks and no video surveillance.
Why would anyone be entitled to privacy using someone else's equipment or Internet connection. On the other hand Ironport allows you to exclude banking as a category for the proxy service which in my option should not be proxied to reduce a companies liability in t he event of a security breech.
If you would be missed, I would say threaten to quit (and be prepared to actually do so). I wouldn't put up with it as a matter of principle. I would begin by making it known that it isn't acceptable, and that if they don't trust me then they don't need me.
Or use a VPN.
Or just do personal stuff on your smartphone/tablet using 3g.
Lots of companies have been issues certificates that allow them to issue other certificates and have been signed by a CA that is the existing root trust lists of most browsers. For example, my employer got a CA certificate from identrust.com which allows them to issues certs and it already singed by a cert that is in the CA trust list in the browser. So even it a guest brings in their own notebook computer and browses to their own corporate website, in theory the company they were visiting could look at all the traffic and they would not be aware that happened. Same thing can happen when using HTTPS from someone else's WIFI network. As Eric Rescorla, one of the TLS Working Group Co-Chairs has been saying - certificates are too easy for the bad guys to get and too hard for the good guys to get.
Or remote into a home machine
that's one of the reasons why I connect home and tunnel everything unrelated to work through my SSH connection - skype, google talk, M$ messenger, private emails that read in thunderbird, and just about every web page I visit that's not on the intranet.
Pattern-based proxy selection works great thanks to FoxyProxy, and I have the "External IP" addon display my external IP address in the status bar in Firefox. I always verify it's my home IP address when slacking off ;-)
When you're at work, doing work, I imagine you're not supposed to be using the company network for your own personal day to day stuff. Get a netbook or a tablet or a phone with 3g and do your own work on your own hardware on your own network that you paid for.
Then let your employer snoop on and look at whatever data is running around their network. They're entitled to, to make sure you aren't doing anything illegal, passing on company secrets or information, etc.
I ran a big piece of the IT shop for one of the largest companies in the world. We looked at everything, all the time, everywhere. And that was a while ago...
I seem to recall a few years ago a number of headlines here in the UK about employers snooping on their employee's computer use at work and after a bit of political shouting, new rules (or at least guidlines) were introduced which boil down to "You can restrict the use of company computers however you like, but you must have a clear and readily available set of rules and if you are going to monitor computer activity then you have to make this clear as well." and I have to say that this seems to me to be fair and pragmatic.
I work somewhere where security is very important and as a result we have quite limited web access from our desks. HTTPS often doesn't work at all and when it does the proxy trick mentioned is used. This is not actually spelled out in any of the rules, but OTOH, every time you log in a big box comes up which basically says "All activity on this computer may be monitored" which I guess covers it.
The bottom line, as others have mentioned, is that you should never enter anything personal, particularly not passwords, into a computer you don't completely trust and this usually means having root acces to ensure that it is secure.
use your phone as a local wifi hotspot
This would require me to subscribe to a plan with tethering, which is still luxury-priced in the United States market.
My company does this. It's assumed by our IT department that 'fixing' Internet Explorer (plus some lame wiki instructions for Firefox users to install the bogus CA cert) is enough. Now try using Subversion, or cURL, or Yum, or Java+Maven. None of it works without trial and error configuration.
Comment removed based on user account deletion
So when you work for a big company, they talk a big game about being part of the team and so forth -- then turn around and treat you like a prisoner. Sure, they are within their rights, but I find it interesting that people like you are willing to defend them.
Palm trees and 8
Pedantic much? Let me rephrase: Even if you consent, the operator of the server at the other side of the connection hasn't consented.
Comment removed based on user account deletion
Get a netbook or a tablet or a phone with 3g
For one thing, given the price of mobile broadband in the United States market, that's like taking a 50 cent per hour pay cut. For another, it won't help someone who comes into work to do large downloads because he can't get cable or DSL at home and is trying to work around a single digit GB/mo cap on satellite. 3G has the same single digit GB per month cap.
Rooting a Wi-Fi-only Android device won't help. I'd have to buy a MiFi hotspot and subscribe to MiFi service, which is still just as luxury-priced in the United States market as a phone plan with tethering.
This practice is wrong and the numpties advocating the practice are idiots who don't actually understand the problem space. I have worked in the IT security space for over 15 years doing risk assessments, designing gateways and demonstrating remote compromises. The two threats that these controls are meant to treat are information egress and inbound malware. Unfortunately it is woefully ineffective for both. Essentially an evil administrator can harvest the financial credentials of internal staff and any corporation sponsoring this practice is liable. I'm not saying that this threat is not real however there are fundamentally better mechanisms for treating this problem. In one organisation which was sensitive to remote compromise we used browsers hosted in a DMZ an used XWindow to provide the browser on a users desktop. The two threats mentioned above are gone and we didn't need to compromise the privacy of end users. By the way, I have been involved in demontrating remote comprises or organisations which implement gateway SSL termination and in reality its and ineffective contol.
Its their network, they can make any rule they want. Its also a company, so you get to abide by their rules, or leave.
Should you leave? A better question is should you be doing something at work that you wouldn't want your boss to see in the first place.
While using company resources there is no expectation of privacy. Want privacy, do it at home off-hours
---- Booth was a patriot ----
Who, in this day and age, has had a boss who would care about this? Hell, at some jobs, the boss will just let you cut out early for a doctors or dentist appointment without taking PTO. That's the ultimate personal business at work.
For one thing, given the price of mobile broadband in the United States market, that's like taking a 50 cent per hour pay cut.
I pay $30/month for my unlimited-but-throttled-down-at-5Gb. That's more than I pay for my home connection.
For another, it won't help someone who comes into work to do large downloads because he can't get cable or DSL at home and is trying to work around a single digit GB/mo cap on satellite. 3G has the same single digit GB per month cap.
It's not supposed to help doing that, since that's a clear example of abusing company resources for personal gains. People have been fired over doing that kind of thing, and I can't feel sorry for them.
We do this where I work for caching and for our DLP (Data Loss Prevention) setup. Sure, we catch your banking details, etc, but they're wiped every 7 days unless the incident hits against one of our security polices. Through DLP I've seen highly confidential docs sent off to personal GMail accounts, Dropbox, you name it, and that's unacceptable. Most users don't know or care, but I care where COMPANY data is going. Your personal stuff is of no interest to me, my life is interesting enough as is :)
Of course when I'm banking it's on a personal device, through the guest wifi, on a personal SSL VPN that can't be MiTM'ed....
(Divisional CISO for a 50,000+ Corporation)
OK, sounds fun. So you've cracked the https to get the content. This raises a much more difficult question: short of having all emails screened by the employee's supervisor, how do you tell which data is sensitive, and being sent to an unauthorized party?
I've worked in classified environments. I've done research on detecting data leakage using anomaly detection, and my impression of the field is that it's seriously hard, and that you'll be hard-pressed to identify unauthorized content. At best, you might identify unusual employee behavior, which could be used to tip an internal team for an information audit.
Since that's so hard, the best thing to do is to segregate sensitive information in some way - air-gapped networks is one way. Another way is to use protected networks (logically isolated?), which allows you at least the a priori assumption that any documents leaving contain sensitive information, which allows you to improve your needle/hay ratio. Otherwise, you're looking at rather a difficult problem. Also, there's no notion that employees should be doing their banking on such systems, so it sort of puts a wet blanket on the moral discussion of this story.
So, I'm interested - outside of heavily isolated networks (that employees aren't using for banking), once you've gotten down to the content, what the hell do you *then*?
I work for a college where a local k-12 district contacted us because our web registration setup didn't play nice with their SSL MIM. I think they were using Ironport from cisco for their MIM too.
I told my mgmt, that I didn't see any reason why we should work with them to facilitate this man-in-the-middle attack. I was told never to call it that again, and they got someone without a conscious to try to help the K-12 district to snoop on its students.
I think this MIM crap is B.S. It, does not appear to be illegal, however. I could see scenarios where the employer could be sued. My bank account was hacked-- how can you be sure an employee didn't leverage the MIM infrastructure to MIM my online banking account. Or, my social networking account with personal details that are illegal for an employer to ask about was compromised, and employer was stupid enough to MIM the social networking site. Seems a pretty large liability time-bomb waiting to go off to me.
I refused to snoop employee email at another employer and also at my current employer. I have a reputation of being the one person that could be trusted with information because I am so paranoid about accidentally or intentionally seeing information others may consider private. Yes, I thought I would get fired the first time I refused to play ball with snooping on others, but it really hasn't hurt me at any of my employers, and I can still look at myself in the mirror.
You know what you need to do.
With all due respect, data leakage is a piss-poor excuse to spy on people without their knowledge. These devices and policies work not just to snoop on SSL traffic, but to hide that fact from people browsing SSL-protected sites. I'm sorry, but that's pretty damn scummy and something that is on the level of criminal behavior.
Personally, I think that transparent SSL interception should be illegal. The transparent aspect of it means that you're not just interested in data leakage, but in surreptitiously snooping on people who realistically expect that their activities aren't being monitored. It's the technological equivalent of installing hidden cameras in the employee restrooms. (Which, incidentally, is illegal.)
Go ahead and monitor. Block if you have to. But be up front about what is going on.
I ran into this with a customer of one of my clients recently. The insurance company was using a setup from Websense to snoop on all HTTPS traffic. As best as I could tell, they were snooping ALL traffic (banking, healthcare included), not just "safe" sites.
Surely this breaks privacy laws in numerous instances. HIPAA? Banking laws? Shoot, there's a federal law that could make snooping in on your NetFlicks traffic (video rentals) illegal. Ironically, if SOPA/PIPA had passed, HTTPS snooping would have been legal.
As for the moral aspect of this, and all the people that say "you shouldn't do personal stuff at work," a few points to keep in mind. 1) Only the IT staff at this company new what was going on. No one outside the IT department could find any reference, or notification. 2) This was REQUIRED on all home PC's that utilized their VPN network (kinda shoots down doing your home stuff at home). 3) From what I was told by their IT staff (remember I was a 3rd party, trying to get our networks connections to work), the IT staff regularly "audited" HTTPS traffic. That means someone in-house was regularly looking at bank account information, and health care information of their fellow employees, and they weren't making this known to the general population within the company.
I tried to get some main stream press attention on this topic a while back. No one would bite.
Quit if you want, but the computers and the network are theirs. Would you rather they simply forbade all personal use?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
You want privacy, do it on your own time, on your own dime.
Really? You think they are decrypting your traffic and stockpiling data on users? You can have a hundred trusted signing authorities, it doesnt mean they can decrypt your data. Read about public key encryption - its point to point - they would need the other endpoint's private key (combined with your public key) to decrypt. Even IF the other end used the same CA, their key is..um...private. Chill brother/sister!
will work for dragon quest localization
Fuck that. If I can't check forums / listen to Pandora / whatever else I feel like doing that isn't giving away company data in my free time / as I'm working, the company is a piece of shit and I would quit on the spot. That is no different than them trying to tell me what I can / can't eat on my lunch break ( or at home ), not gonna happen.
To err is human; effective mayhem requires the root password!
I hate to break it to you but employers are under tremendous pressure to limit liability for sexual harasement and hostile work environment lawsuits. Worse other torts can still open you for liability as a slick lawyer can argue that the fact the employer didn't monitor all IP traffic must mean they are negligent! Hmm your honor what are they hiding?
It sucks but ass covering makes HR and the legal departments happy. If you do not like this then start your own company or work small business. Besides as others have pointed out it is the price to pay in order to get a paycheck. Your employer wants you to work even if studies show a 10 minute break 3x a day helps productivity they really do not care and want a machine.
Just suck it up or browse on your phone. Everyone but the tiniest shops all do this.
http://saveie6.com/
There's quite a big difference between "covers most of the exits" and "completely worthless".
First off, physical security is entirely beyond the scope of the OP's problem. If you want to secure your digital assets, you are going to require both an electronic and a physical policy because data can take either shape when leaving the building. The limitations of one side really have no bearing on the other side, and if one side is your job and the other is not, don't look at how the other team is doing to determine how much effort you put into your end of the task. The goalie doesn't just not bother if his strikers aren't doing well that day. You do your job, and let them do theirs.
Second, giving up an any security just because there's a weakness somewhere isn't the answer. If you're going to consider for extreme scenarios and then throw up your hands and say "see we're not prepared for that, lets jut give up!" is entirely the wrong attitude. You're not likely to stop a CIA mole among your staff regardless of what you do, and that's not a sensible justification for completely giving up on security.
DLP is like antivirus. Only a PHB will expect 100% protection, there's going to be that 0.001% lurking around no matter how crazy you get. So you just have to decide how many 9's you need, and strike the right balance between usability and security.
And to the numerous people above complaining about accessing financial and medial records at work... what makes you think your employer is required to provide you with private access via their network while you are at work? Do this at home, duh. Same for the phone - if you're at work and pick up the company phone to talk with your doctor about your STD, do you really expect privacy on that phonecall? The internet connection there is the same way. About the only privacy you're entitled to at work is in the bathroom. It's really embarrassing that anyone makes assumptions here. Those employers are simply doing some CYA by notifying the employees of the policy (probably got your signature too) and by forcing you to use their root CA to https at work so you have zero grounds to tell a judge later that you had any expectation of privacy.
I work for the Department of Redundancy Department.
End of story. As Notorious B.I.G. said:
Keep your family and business completely seperated
Money and blood don't mix like two dicks and no bitch
Find yourself in serious shit
Is it reasonable on their part? No.
Would I quit my job over it? No. Unless I was already in the process of gaining employment elsewhere this is a pretty weak reason to quit a job.
Would I do online banking (or other such things that require an HTTPS connection) at work? No.
Legality? Well it is their network. They can do what they want on it. You don't have to do your banking across their network.
I work in a secure environment so this type of tech is nothing new. I actually manage a system which does the "SSL INSPECTION" which is exactly as described in the initial post. However we don't actually search for anything in the packets it's really so that we can log what goes in and out in the event of a break out.. We are actively trying to stop wikileaks style mass document escapes. We are primarily interested in people sending files/data/posts rather than what they are browsing. All the files that are posted get archived against the users name. All encrypted files are blocked.. It is a good thing in our environment.. If you want privacy on the net go home and browse or use your mobile phone on it's cell network.
Since a lot of people work salary in the IT world, the lines tend to be blurred between company time. However the lines aren't blurred between company assets and personal assets. If you are using your company's hardware or your company's internet connection, then you have to play by their rules. We're not talking about a security cam in the toilet stall, you have a choice to use their assets for personal use or not.
I certainly care. I had to discipline employees before because the owners did not like them going on youtube even if business was slow. Just following orders and if there is shit to do then you need to work. I am not paying you to goof off. Dentist appiontment or something is different. Life happens but people goof off too much in the office as well.
http://saveie6.com/
This is the kind of situation that MashSSL (http://www.safemashups.com/) is designed for. It is a new protocol standard that protects you against this sort of man-in-the-middle proxying vulnerability.
I'm really enjoying watching the justification of using company resources without limitations because they're cheaper than paying for it yourself.
No wonder so many people get fired. Entitlement and no ability to recognize what is and isn't theirs.
Where do you draw the line? Would you pull a hose or electrical wire from the building to your house because it'd be a lot more expensive to have the electric or water company come out and turn on the service?
Today I ReLearned an old lesson: Never trust any computer you did not set up yourself.
But good grief. You can't even trust your own employer. Seriously? :-/
>I pay $30/month for my unlimited-but-throttled-down-at-5Gb.
And the provider of this is?
Some interesting questions to ask your company's C-level executives: Does your company mind if every other company does the same and sniffs your own customers' passwords and whatever other info they can glean from SSH connections to your systems? Are they comfortable with the risks associated with this? Are they concerned that customers would no longer be able to trust secure connections to your website? Are they willing to disclose their covert SSH-sniffing policies in an SEC filing or NY Times story? :-)
You don't own the system you are on, the company does. Their property, their rules. You should not be doing personal business at work. I hate to tell you, but they pay you to do your job not personal business.
There are two major products that come out of Berkeley: LSD and BSD. We don't believe this to be a coincidence.
If you are in Europe the interception of personal communications is illegal. It is one of the most basic rights enshrined in the European Convention of Human Rights.
ISPs own carrier equipment too, just like your employer does. Should they be entitled to snoop your home banking session?
You get paid, do you not?
Use your personal phone or tether it to a personal notebook.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
We allow exactly two protocols out from our desktop and server fleet:
* HTTP
* HTTPS
As much as I hate the buzzword, my employer has had serious "APT" problems. Most of the trojan comms used to get out via HTTP, and now much of it uses HTTPS. If we don't inspect HTTPS, how are we supposed to detect our IP getting stolen and hauled out the door? And given how many sites use SSL by default, how are we supposed to detect and block exploit delivery over SSL from Blackhole et al?
When you got accounts on your employer's systems, chances are you signed a user agreement that included the condition that your employer can inspect everything that goes on using their systems. You have nothing to complain about. If you want to do something that you'd prefer your employer not see, do it on your own machine, using your own connection on your own time.
It's not your network. You have neither a right to nor an expectation of privacy.
Here's an idea stop using your work computer for personal business. No seriously, stop use your own computer for such things. Problem solved.
T-Mobile, "Walmart plan". The prepaid card to activate that can be purchased off Amazon.
I'm glad a few people have some common sense. It is just insane hearing all this whining about not being able to use the companies resources without being monitored. Seriously it drives me crazy. You aren't paying for the bandwidth. The increased bandwidth usage and reduced speed isn't costing you money. You aren't losing money when you get pwned by visiting some shady site, again costing the company money in incident response, and possible exfiltration. It is just ludicrous to think you have any entitlement to use any company resources for personal use. Most companies allow this, but it should never be expected. The resources are purchased for conducting business, not serving your personal needs./nBTW. Don't plan on using the Opera Mini Browser for the iphone, if this bothers you. All YOUR traffic is proxied through Opera's proxy servers, ssl connections are terminated there, leaving all your data open to Opera. Now this is something that is worth an uproar.
Produce some copyrightable material (or commission some, if your company is the sort that claims everything you make)
Host it on HTTPS.
Access it from work.
... now they've circumvented your over-the-wire copy protection scheme.
I always find the "sense of entitlement" posts on these threads interesting, because they are both spot on and misplaced at the same time.
If you work an hourly wage job you are being paid for the time you work. You don't get paid for time you're not working. It's entirely reasonable for your employer to say "no personal calls" or "no gmail" while they are paying you to work.
If you work a salaried job, the theory is that the employer is paying you to do a job. "Ship version 1.0 to the customer by next thursday." If you get that done in 20 hours, great. If you get it done in 60 hours, great. If going to meet with the customer gets the job done, do it. If working in your office gets the job done, do it. One of the tests of if a job is salaried or not is if the employee has a significant amount of self direction. For a properly salaried employee if playing your cable bill online means you an sit at your desk and bang out the customer task, or you can knock off early to go to the office and pay it and miss the deadline, and that it's reasonable for your employer to provide that resource than it is ok. Salaried executives get to call home from the corporate jet and move around their personal life so they can meet with a client, and no one dings them for the long distance phone call to their wife.
The problem, in the US, is that many people are misclassified. Most programmers are salaried, but should probably be hourly. If you're told where to be, when to be there, what to do, and how to do it, you're not a salaried professional, you're an hourly professional. Companies prefer to pay salaries because they don't have to pay overtime. Your job takes 50 hours this week there's no hit to the budget for the extra 10.
This also means we don't have enough information to answer the OP's question. Is the OP an hourly, entry level person at a call center paid hourly? If so, his employer is telling him exactly how to do his job, and any personal stuff is off limits 100% of the time. If the OP is a Vice President who is given tasks and deadlines and told to take care of them in the best way possible in their professional opinion, and in their professional opinion paying a bill online, reading some personal e-mail, or keeping up with tech trends by reading slashdot helps get the task done faster/cheaper/better they are generally given that latitude.
Easy solution which might come as a surprise to you: Don't do personal shit at work. It is the best way to make certain that they don't see any of your personal information, passwords, etc. If you feel the need to check your bank statements at work, use your smartphone. Work is for work.
In my organisation (in Australia) we are allowed to use the Internet for "reasonable personal use" so long as we don't get carried away and still get our work done. The reason they allow us this is twofold:
(1) Your personal life doesn't just stop the moment you sit down at work. You might need to check up on some details about an account, pay a bill, find out an address, whatever. You can do these at home, but then this leads to the next reason:
(2) People are going to use the Internet for personal use ANYWAY. Might as well accept this and employ some reasonable access requirements and processes rather than throw the hammer down block it all, which will only end up with people finding more creative ways to bypass your locks.
Seriously, it doesn't have to be black and white. No wonder you guys have such a reputation as having such bad work conditions over there.
Most people on Slashdot are fucking idiots.
bring your own device and internet connection such as a mobile hotspot, dont hook anything up to our networks
or computers dont take any pictures and do your work. Nobody here cares what you do otherwise as long as youre
not watching porn.
You're right, you'd have no case against the people providing the equipment, but you would probably have one against those operating it (likely in their personal capacity too given that it's criminal law). In the UK this would definitely be illegal under the Regulation of Investigatory Powers Act, which whilst it grants broad exceptions for regulatory, diagnostic and business reasons does not allow you to monitor all traffic indiscriminately (and definitely not if you have reason to believe it is personal). In the US it would probably depend on each state and how their law was written (aka whether it was just conversations protected or electronic communications in general). Unfortunately if you did get IP traffic from a two party state you might be committing an offence in that state, even if you aren't committing one in your own. Technically if you angered the wrong company in the UK at least, a prosecutor could extradite you under the UK-US extradition treaty with just a probable cause standard of evidence needed.
First off, physical security is entirely beyond the scope of the OP's problem. If you want to secure your digital assets, you are going to require both an electronic and a physical policy because data can take either shape when leaving the building. The limitations of one side really have no bearing on the other side, and if one side is your job and the other is not, don't look at how the other team is doing to determine how much effort you put into your end of the task. The goalie doesn't just not bother if his strikers aren't doing well that day. You do your job, and let them do theirs.
Bad analogy. You can win with a good goalie and poor strikers or a poor goalie and good strikers, they add up. With security you're as good as the weakest link. To use a house analogy, if you're guarding the door and they're guarding the window are you really going for that blast-proof two inch steel door with three-factor authentication when the window is single layer glass with a simple hatch and no alarm?
Live today, because you never know what tomorrow brings
I'm starting to want to do this at work, and need to look into whether I can do it with Squid.
Why? Drive-by downloads, fake antivirus scams, and other malware delivered via the web. I already transparently proxy HTTP, blocking all executable downloads. I suspect it makes a big difference. If nothing else, the proxy was down for a week at one point and *two* machines got infected by malware during that week. Co-incidence? Possibly, but I'm not betting on it, especially since examination showed that both were drive-by attacks the proxy would've prevented.
The user base is pretty computer illiterate ("why yes, please do clean that nasty virus off my system. You need admin rights to do so? Of course, no problem.") and somewhat resistant to education/training, so technical protection measures are needed.
I'm concerned that that drive-by attacks, fake antivirus scams, etc will soon use HTTPs in an attempt to bypass filtering proxies and transparent proxying - if they don't already. I can knock these out fairly effectively if I can examine data being downloaded for things like PE headers, but I can't do that with HTTPs. I can still do URL-based filtering for "file extensions", which works surprisingly well and only requires the very occasional site to be whitelisted for using "blah.dll?query-string" or "myapp.exe?dosomething" URLs. Nothing forces the attacker to put a Windows file extension in the URL, though, and I can't discover the MIME type or the type of data being downloaded without inspecting the stream.
The challenge is to do this without any risk of compromising netbanking data, etc. If our proxy gets cracked... ow.
We do something similar where I work. While it's theoretically possible to abuse this and snoop on personal https traffic, it's not worth the time. You are not interesting, your facebook posts are not worth an admin's time. Your personal banking information is not worth the effort to extract. Every potentially useful bit of private information that could harm you being protected by https was already given freely to the company anyway - SSN, Bank account for direct deposit, address, contact info, mother's maiden name, etc. You should be *vastly* more worried about the DBA's than the network admins. And again, you're not important enough for them to mess with it either.
Now, you should still use https at home because maybe some bigger criminal enterprises could make use of unprotected CC numbers or something (assuming they haven't already pwned your box) - but as far as your employer is concerned, there is nothing to fear from an https transparent proxy.
I totally agree because I'm embroiled in the middle of the same situation. There are still some old skool people in my workplace who haven't progressed technologically over time (and still mourn for the Windows 98 days. Yeech.) ... these are the people that cannot accept the fact that the computer on their desk is NOT theirs, that the company owns all of the data that they create. They think that nobody in the company should have access to their PC. And they don't see the harm in loading up their own software. C'mon, get real.
I think your wrong with this.. Are you saying that this company doesn't have an employee handbook or employee / vendor recognition of acknowledgement to monitoring? Seen dozens of companies over the last decade.. EVery single contract/vendor/nda agreement and every windows login screen pops up with reminder of consenting to monitoring if systems is accessed.. Atleast companies in the US that have a salt of a legal department.
First keep your work and your personal shit separate.
Second, since they insist on having the ability to https, in reality they probably aren't the kind of people you want to be working for in the first place. So I would recommend leaving, because it reflects the nature of their character, as opposed to that being a specific behavior.
There may be specific instances where this may be acceptable; so this is only a general rule to go by.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Admins of an ironport proxy cannot view the decrypted data of users it is proxying. The traffic is decrypted on one interface, inspected, virus scanned, checked against policy then re-encrypted on the other interface. At no time is unencrypted data made available in such a way that an admin can see it. Without rooting the appliance and attaching a memory debugger you cannot peer into the private data.
It is possible to do MiTM in such a way to be able to view and store the unencrypted data (with squid for example), but security devices like Ironport, blue coat, palo alto, websense, etc. are specifically designed to prevent such access. They are security devices designed primarily to prevent malicious activity.
I don't see the problem; if you are at work, accessing the internet on a business-owned computer and/or connected to a business network, shouldn't you be working on the BUSINESS'S work, and not your own shopping or banking?
No transparency simply means not needing the browser to be configured to use the proxy server.
SSL certs are completly orthogonal, though since a transparent proxy is a textbook example of a "man in the middle" you need to do somthing like you described to avoid cert errors on every connection (and of course make life much easier for a malicious man in the middle further down the line).
jez9999 -- you're just going to have to get used to this. If this was a company-owned device, then probably IT and InfoSec staff had root access to it so you were already "owned" before you opened your web browser ;)
And if it was your own device, then I would add that it was the company's network. Companies have a moral and legal responsibility to ensure that their networks and data are secure. I don't want my bank, hospital, or government unintentionally or intentionally leaking my confidential information over HTTPS.
ebay: M5ozLAmexg1q
paypal: rG09UCQ8Hjgf
facebook: 9ANr3Psh5YZh
twitter: d1rbOtdfNR3g
msn: KI0hHSNEgqVa
Now do you trust me?
I work at a large website and we had a few customers suddenly call to complain that they were seeing other people's accounts when logged in to our site. Turns out their company was doing https proxying (bluecoat) and they had messed up the cache settings, and the customers were seeing accounts of other people at the same company. Meanwhile they were threatening to sue us over our 'security issues.' Nice.
Thus, they can do what they like. It's not your stuff. Don't like it? Quit.
Corporate network... it doesn't belong to you. They can do whatever they want. Corporations do have to follow some laws... but you are using their network... people need to remember that. Even so.. even if you had your "own" network to go through, realize that the Internet as a whole is a trusted network. It really doesn't support true privacy.... though there are many ways to try to protect your traffic.
No you aren't overreacting. Fuck those motherfuckers.
Admins of an ironport proxy cannot view the decrypted data of users it is proxying. The traffic is received encrypted on one interface, decrypted in protected system memory, inspected, virus scanned, checked against policy then re-encrypted on the other interface. At no time is unencrypted data made available in such a way that an admin can see it. Without rooting the appliance and attaching a memory debugger you cannot peer into the private data.
It is possible to do MiTM in such a way to be able to view and store the unencrypted data (with squid for example), but security devices like Ironport, blue coat, palo alto, websense, etc. are specifically designed to prevent such access. They are security devices designed primarily to prevent malicious activity.
Only in USA/Elite-Euro-Zone-Members
They think Internet as something YOU MUST have while is something that NOBODY ACTUALLY NEEDS IN WORK, because most of the workforce that need computers are pretty basic data-entry and sometimes data presenting (processing), jsut a couple of people actually NEED IT.
Normally almost anybody beside management position require Internet access... so you should thankful that they at least let you use their pretty costly network speed so you can open your facebook to update your profile saying "my job sucks"...
By A Fellow sysadmin, who blocks Internet access to all except THOSE WHO NEED AND THOSE WHO OWN the company.
I work for an organization that also recently installed Websense, with SSL decryption and such enabled.
As a result, I do all my surfing over logmein now.
Would you leave work to go to your bank during your work day? Stop bringing your personal life to your employer's place of business. What they hell is wrong with you? Do you accept personal courier packages at work too? Would you be upset if the building's security guard -- or mail desk -- checked what was inside if you did?
Just because it takes you fewer than 5 minutes, and you can do it "on a break" doesn't make it something that you should be doing at someone else's premises. Do you have dinner at a friend's house, and between courses just casually pay your bills from their computer? Do you format their hard drive afterwards just to make sure they weren't logging anything?
Just because your employer allows you to do some personal errands using his premises doesn't mean that he isn't controlling his own network however the hell he wants to. It doesn't matter why. It's his network, not yours.
You want your privacy, get your own private network. The word private is right in the name.
So sorry that other people's stuff isn't your private stuff. Buy your own.
There's just no way to say this without sounding snotty, and you have a quite valid concern, but how about conducting personal business on your own time and computer.
Of course, your employer has a right to check that you're not using their systems for illegal activities. They already do, quite likely, so the proxy is just an extension of an existing policy, even if you didn't know about it.
So, keep your job (until a better one comes along, of course), limit or just don't conduct personal business at work, and be happy. 'nuf said.
You should react to this the same way you should react to HTTP inspection.
If you'd leave a job over that...leave. If not--don't.
In all seriousness, I installed an appliance that did exactly this as the resident IT person at a small business. It also intercepted all content and put it through an hourly updated antivirus.
For $1500 of hardware, and a $400 annual subscription, I suddenly spent WAY less time doing bullshit antivirus support.
At a large enterprise, the savings would be even more radical. Believe it or not -- malware can and does come over legitimately signed SSL certificates, and in perimeter security --it's important to be able to decrypt this to vx scan it.
No...your client side AV probably isn't good enough.
If I worked at an enterprise, I'd do it to inspect anything you /uploaded/ anywhere to make sure it didn't have SSN's in it, accounts, proprietary whatever.
Now to be candid, I believe that people have a reasonable expectation of privacy--even at work, although the courts disagree. And in particular, in HTTPS it's... well...most people just think secure means private and immutable because they're fucking idiots, but that's the exepectation.
So the company should be up front and tell you what's happening. But that's it.
Bottom line though, you really shouldn't be expecting that privacy on company computers. I have 30 minutes of break a day by law. I can use the computers or phone for appropriate personal use in that time. That doesn't mean I think it's private. I bring my own system in for that purpose. I've had one person hint it might be a problem, but... go figure I got support from management. They were worried their employees would see it and not be productive. Think they got told that maybe their employees would work harder if she wasn't such a bitch, and the conversation ended in a hurry.
The real question you should be asking is:
Has IT's appliance and IT accepted all risks for any corporate data that passes through your hands to any secure site legitimately?
They also have to keep in mind --that system and its keys is more valuable to a penetrator than any router password at the organization now. It's a target for *anyone* that can figure out it's there--and one those mere catalogued existence is worth money to some markets.
But quitting your job... no. Don't assume anything you do on a company owned system is ever secure. Not because you have no privacy or deserve none, or the company is right... but because it's what the AV solutions actually /need/ to keep the average worker desktop safe, even with content and website filters.
If you are going to dick around at work, then you might as well pay for the bandwidth and completely avoid the snooping.
In the organization I work for, they rolled out Websense and didn't tell anyone, including the other IT staff. I only found out about it when Firefox started screaming that the certificate for my Xmarks was invalid. (Checking the certificate revealed that Websense was snooping on HTTPS.)
I confronted the Network Admin about the MITM and his response was: "it's _LIKE_ a MITM" - and completely ignored my concerns.
So in my opinion, if they want to do something, to hell with the consequences.
why are you banking, shopping, or correspondence at work?
Because the employer doesn't want the alternative, which is for me to take the afternoon off, drive home, and do my banking or other things that can be done only during business hours. Whether it is on my time (using my vacation hours) or theirs is not the point, the point is that they lose productivity and don't meet the schedule.
That is why one of the perks (yes, entitlements) of a white-collar job has always been occasional personal calls (20th century) and occasional personal internet use (21st century).
i get paid to work, what do you get paid to do?
I am a salaried engineer. I get paid to get the job done, as long as it takes. And that door swings both ways. Sometimes I work overtime, sometimes undertime.
Awhile back my place of employment rolled out this and notified employees that they were upgrading the "web proxy". Nowhere in the notification did they ever indicate what this upgrade would do, that SSL was then being sniffed. We got to find out about it Monday for those of us using Firefox when the browser started throwing up all the warnings about the SSL sites not being trusted. They pushed it to Internet Explorer via group policy and have white-listed about a handful of websites. This man in the middle attack also breaks connections requiring a client certificate.
Since then I don't access any of my email or other sites with personal accounts from my workstation. Instead, if I need to check up on something, or login to a site requiring SSL I have to take my cellphone, leave the building, and then pull it up. If I need to download something from a site that needs SSL (Oracle Support, etc), I end up leaving early for the day, going home, and then accessing those sites from my personal computer, downloading the files, and then emailing them back to my office workstation. Technically, logging into websites where your credentials get snooped in this manner may violate the TOS on sharing account information.
Overall, this, and several other things my employer has done to the network have made mine and my team members jobs harder, if not impossible in some cases to the point where people are on the verge of quitting.
I have never worked for a company which didn't clearly state in the employee handbook that company-owned technology assets are for work purposes only, may be monitored at any time with no notice, for any reason, or for no reason. It only makes sense for them to put that in there because it allows them to do whatever they want without worrying about you, and that's the way all contracts are written by default (to favor the party writing it). If you don't agree with this, then you should tell them and see if they will change the policy (most will not, you are not that important to them).
There are many excellent reasons for companies to proxy https traffic. Just off the top of my head...
It can help troubleshooting network / application issues
It helps them monitor what you're doing online and make sure you're not sending private data places it shouldn't go (gmail, and many social networks use https, so they want to watch these sites)
It can help in terms of caching https content
So how do I know that my ISP (at home) isn't doing MITM to me?
It's that simple. If you have to ask the question about whether it's worth leaving a job that is providing you money to have food, housing, and healthcare over concerns about having your employer see your personal business you're doing over the company Internet connection on company time, you probably have your priorities screwed up and you're going to be a problem for your employer later. Save yourself and your company time and quit now. Make sure you ask all your prospective new employers in interviews if they do HTTP snooping so you can do personal web surfing over the company Internet connection in privacy and let us know how that works out.
Tired of being "punished" by the Slashdot $rtbl since 2002. I'm now over at http://soylentnews.org/ .
So if they are basically capable of MITM on any HTTPS connection, what if you use a secure site to do health-care related stuff (HIPAA?). What about sexual harassment reporting? Since they can see your banking password and others, what kind of liability have they exposed themselves to?
I wouldn't work at a place that did this, but then again, if I were in IT at a company like this, I wouldn't want to assume the risks of watching all secure traffic.
Why? Because it opens said company to a huge lawsuit. When someone uses your network to do something illegal, if you can claim ISP status, you're typically immune from any legal threat (you don't sue Comcast because Tom Pervert was uploading child porn with his connection, as an example). When you start monitoring and snooping on encrypted traffic, you are effectively saying "we're policing everything you do on the internet." IANAL but that would probably make you liable for the actions of people on your network -- since you know about them, if you don't report something, you're criminally liable (like if you know about a murder but don't report it, you're an accessory).
It's a terrible idea for a company to do this. A company can block access to sites via HTTPS on their own network if they wish. Breaking the encryption and snooping, though, creates liability for the company. There is an expectation of privacy associated with an encrypted connection. If an employee's legitimate online banking activity (for example, making sure their pay was deposited) results in a security breach, the employer would be liable. The employer may be guilty of an HIPAA violation. If they snoop on an employee's communication with their union or a Government agency, they may violate other laws.
There's been discussion on the Mozilla security list over whether Firefox should raise alarms if it detects a wildcard cert. The consensus seems to be "yes, it should". Mozilla policy is moving towards kicking CA out of the root list if they issue wildcard certs, and adding technical measures to prevent them from working.
I'm a network security trainer and the products I train on are capable of this kind of HTTPS deep inspection, so when we discuss the feature I always ask admins to consider the legal implications of using the feature in their market. What is perfectly legal in the US might be prohibited in the EU. If you're doing HTTPS inspection I think it's only ethical to inform end users and warn them to browse accordingly ... but bosses don't always feel that way.
Good point.
But, in any case, why are you working on your personal bank account at work?
What to do: When you go to work, work. Do it well for 8 hours. Then go home. Watch TV, the news, do your banking (if you're one of those people that needs to compulsively check their balance online). Facebook, email, skype your friends.
What not to do: Spend 10-12 hours at the office, and 4 of those are just goofing off. Watch Youtube, read the news and ESPN. Facebook, email, skype your friends. Do your personal banking at work.
I'm not a lawyer, but I play one on the Internet. Blog
Wait, your banking is online, but it has to be done during business hours? Are they using mechanical turks on the other end?
I'm not a lawyer, but I play one on the Internet. Blog
For security reasons, never use SSL. As an educated user can easily guess from the sheer number of warnings that will pop up when SSL is activated, it is a major security hazard. Until now I have always been able to click them away before they could do any harm, but it's just a matter of time until one gets through the firewall.
Oh, the beautiful gloss of greality!
How can you expect to have control of your computing, if your company uses proprietary operating systems and doesn't let you control it? SSL/TLS snooping is the least of your problems; if they own the computer and they're in control, they can spy on you anyway.
As a rule I avoid computers I don't own whenever possible. I only use such computers for trivial tasks, or perhaps work if I can't use my own. If I don't own the computer or if it has proprietary software on it, I immediately assume I'm being spied on.
One is that you are using company resources for non-business purposes.
By the same token, I shouldn't be expected to use non-company resources (ADSL line for remote standby support, personal smartphone reading company mail) for business purposes.
Or we can come to a compromise, and all be adults.
.. is so I don't put up with this sort of shit. I work from home on my own connection. And I would not tolerate snooping on my toilet breaks etc. I'm a manager, not a fucking drone. I work when I need to and I walk away from the desk when I need to.
Snooping on employee private communications should be utterly illegal in my view anyway. I bet it's mainly US companies who champion this shit - the end of privacy and all.
Should it even be legal?
In many nations, my own included (Sweden). It is not. (This specific case has not been tested, but the general rule has. They can't open your outgoing mail, so why open your outgoing encrypted tunnels?).
You have a reasonable expectation of privacy even when you are at work, and even though you're using company equipment.
By law. And it's funny; It doesn't lead to all the problems that you seem to be plagued by "over there". If you treat someone like an adult, chances are they'll act like one. If you insist on treating them as children, however, that's what you'll get.
Stefan Axelsson
If you're using company equipment what you do is fair game for the company to look at. If you want to do your banking, use your own computer. Unless they actually say you are allowed to do your banking at work you have nothing to grumble about.
this is exactly my issue with this. our company started doing this a few weeks ago and we only found out because they screwed up the ironport settings and it gave bad certificates to all https traffic. they issued a standard 'there is a network issue' that was resolved a few hours later when everything started "working". they've never put limits on personal use of internet except to say no porn, no illegal sites, etc. it's a very open office where people work all sorts of long shifts, come in early, stay late, etc. the culture of my company is basically "just do your job well". so to have this happen without any kind of email saying something like "for security we are now logging all traffic including https" is really bad form in my opinion. our employees are used to being allowed to do a reasonable amount of personal stuff at work and this changes the scope of that without warning.
The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped
This is the problem. As others have said, it is their prerogative to restrict the use of their network - but if they're going to snoop, or break security, they should make it clear (including to non-techies) that, for example, internet banking will not be secure on their network.
What's more, some people's jobs do involve working on third-party sites. IT shouldn't be able to snoop on people's work-related passwords any more than they should be able to tell you what your current work login password is.
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
It's their computers. There are some security vulnerabilities though: (1) Don't install the certs on your own hardware. Then the company could snoop on you anywhere, and you are vulnerable if they get compromised. Accept every connection manually, or install the certs temporarily. (2) Check what happens if you use the company computer to navigate to a site with a self-signed certificate, and an expired certificate. I found a site with some example pages of self-signed and expired certificates: https://onlinessl.netlock.hu/test-center/self-signed-ssl-certificate.html# -- https://onlinessl.netlock.hu/en/test-center/invalid-ssl-certificate.html . If the sites linked to from there show up without warning, you get encryption, but not authentication. Then, realise that most of the security benefit of SSL is lost.
I did not think there was any expectation of privacy when using corporate email and by default, web services. Would that not make the https process a moot point?
The resources are purchased for conducting business
Retaining valuable employees is part of conducting business.
This man in the middle SSL connection is typical behavior of almost any proxy server. They have been commonly used in corporate/enterprise networks, just as described for 15 years or more years, that I know of. See: Novell Border Manager, Microsoft ISA server, Squid...
I'd like to remind everyone about the rather unpopular reality that is corporate networks. The company owns the equipment. The company pays for the internet connection. The company "owns" the employees during business hours. The company states what activities are and are not acceptable and declares that your computer activities will be monitored. The company is legally entitled to do all of these things.
Use company equipment for company business. Do your personal HTTPS business on your own computers on your own time.
Assess: Does this harass you that much? yes or no.
If yes: Does this job pays you a good sum of money and allows you to have financial freedom, pay your bills comfortably, pay your car, mortgage and etc? yes or no.
if yes: Suck it up. Jobs are supposed to give you money in exchange to you doing something they need, not to fulfilling your desires.
if no: If you have the guts and skill to find a better job, just leave. Chances are that you might find something better or at least the same, without the policies that bother you.
ME?
The policies harass me but i get paid very well, don't wanna leave this job (good money = freedom to do what i REALLY want on weekends and hobby projects, and support my family). I just have a vps on a cheap provider out there with ssh running on port 443 :-) snoop ssh encrypted traffic all you want. I get safe internet browsing on my breaks (also can access blocked sites here like GMAIL or YOUTUBE).
The good thing is that they're lazy to really analyze the logs (well, squid generates huge logs anyway) and puncturing a hole for SSH just makes ONE entry to your server ip (connect XXXXX:443) on the squid log (instead of one for each object, when you're just http browsing), so i guess i'm leaning on that and getting lucky as well!
If they ask me someday what server is it, i'll just explain to them what that means and also remind them that *when i was hired, i didn't sign or was given to read ANY documents about internet usage policies on the company*. Be aware that if you have a clause like that on your contract you might as well get fired for that, even if it's legitimate use.
My 2 cents. Don't work against the system (it's impossible, you have bills to pay and if you keep your pipe dream of ever getting a perfect job you'll end up frustrated and jobless :D). Work around it!
A friend of mine once said. A job can be 2 of those characteristics: I LIKE DOING IT, WELL PAID, LEGAL.... don't try to find the magical three!
mfw "blessing."
You know, the divine right of ruling kings ended hundreds of years ago.
The church is no longer in power.
You can stop talking about your boss/company "blessing" things. There is no endowed supernatural aura around permission.
Fascist.
only to find that because of all the overtime you generously "donated" to your company (I'd have been otherwise terminated for "poor performance" and "insufficient engagement") all the parties you'd like/need to communicate with are offline or closed for business...
REALLY.... you're paid to be there to work, not conduct personal business! Perhaps if you were relieved of your employment you could dedicate yourself full time to your own endeavours from a connection that you procure with your own money that you can fully trust!!
Try hard to really imagine that it was YOUR money that paid for the office, lights, computers, Internet, and your salary, not to mention things like workmans comp insurance should you decide to do something stupid and hurt yourself while working etc... would you want people conducting personal business on YOUR dime?
Are you a prisoner, stuck there 24 hours a day? if so, then you may have a valid point, if not, wait until you get home!
Quit whining and devote that energy to being productive and perhaps if you have a positive work ethic good things will come your way!
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
One thing that I don't has been mentioned here is: treat others how you would want to be treated. If you treat your employees like h*ll - don't be surprised if it comes back and bites you in the butt. I've worked for at least a few egregious employers - One was so wound up about his employees showing up on time (no, not thirty seconds late, literally) he had a some satellite synchronized clock installed about the door. Guess what, he paid for it, when 5:00.00pm rolled around there was a cloud of dust in the parking lot (the front wheels of everyone's car were rolling, and the back ones spinning), and darned any work left on the bench, or it's importance. If you come across as a jerk to your employees - they WILL NOT look after you. Employees in their daily travels see all kinds of things, things we really have no real responsibility too (perusing logs, angry customers that we aren't dealing with, mistakes made by the last guy who was here,etc.) - I cannot stress this enough be good to your employees - don't be accusatory by default and take some third grade teacher tone with them on the phone with them. I saw at the beginning of this people were stating things like: 'back in the day, you couldn't do your banking online, so just because technology has changed the fact that you can bank online now, doesn't mean you should "steal" from your employer by paying a bill' - B.S. I SAY - employee / employer relationship has changed too - you've conveniently overlooked that....we don't work on time cards anymore putting in our '40' - it was unheard of 30 years ago to stay and work because a clients PDC was down and know you were not going to get paid for it.
I've had occasions where I had to do banking from work during business hours, because the other people I was dealing with -- mortgage companies in several cases(and I was relocating for the job, so it was even work-related) and a credit card fraud detection department on another occasion -- were only available during business hours.
However, I'm paranoid and the company I work for certainly has the technical capability to snoop on machines they control, even if they likely wouldn't do it, so I used my personal laptop over their "guest" internet connection.
Not to mention that certain Youtubes can create an environment ripe for lawsuits.
I'm not a lawyer, but I play one on the Internet. Blog
>free time / as I'm working
That's a big dichotomy you've set up there. Free time (lunch break) is a lot different from "as you're working".
Also, listening to music is quite different from checking forums. There isn't one thing you could be doing to improve your work process as opposed to reading random forum posts?
Finally, if everyone is listening to Internet music continuously, that's a lot of bandwidth usage, just so people won't have to use an old-fashioned device called a "radio" (or even an MP3 player).
I'm not a lawyer, but I play one on the Internet. Blog
Very good point. I wouldn't ask an employee to use personal equipment to access to company network.
Leaving aside questions of equity (who pays for it), there's also the matter of security.
Out-of-office support should happen on company-provided smartphones with company data plans.
I'm not a lawyer, but I play one on the Internet. Blog
>If the answer is basic dignity or financial ruin,
I think white-collar workers have it far too easy.
Here's a shoutout to blue-collar workers who get to work 5 min before 8AM, get back to the work stations when lunch ends, and do an honest day's worth of work. They're not checking their Facebook every 5 min or expecting their employer to provide a computer to facilitate that.
The (spoiled) white collar worker will talk about "human dignity" when asked to do work for their money. Businesses bought and supplied computers for workers because they believed it would increase productivity. It is not a human right.
Later, when the Internet became prevalent, computers were networked and inter-networked, on the chance that people might need to contact suppliers/vendors. Web access was provided on the off chance you might need to research something.
To talk about human dignity is to say that workers without computers aren't humans!
Just to recap: Your employer provides you with an air-conditioned office. Your own desk, phone and computer. Ergonomic chair. Fast Internet access. And you resent that they install some sanity checks to make sure you're using the provided resources in order to achieve business goals?
I'm not a lawyer, but I play one on the Internet. Blog
Here's what a lot of people seem to be missing:
The concept of a company. Company: it's a grouping of people, people who come together for the purpose of making money.
Think of an athletic team: it's a grouping of people whose purpose is to win games. In order to do that, you practice. What would you think of a teammate who starts checking his Facebook in the middle of practice? Do it on your own time, you're here to work.
Car analogy: You're in the pit. You've got a car coming in. At that time, a co-worker decides to email his doctor about his bad knee. And another decides that's just the time to pay his telephone bill. Work, already!
I'm not a lawyer, but I play one on the Internet. Blog
Good point, I see what you're saying.
I would say: if your (vendor) company is providing a service, then the customer would properly be the buying company, not its employees.
On the other hand, there's no reason for employees to be accessing personal services (like Dropbox) from work.
I'm not a lawyer, but I play one on the Internet. Blog
... and I think HTTPS snooping is just fine!
Your friendly fork-tongued pal down under,
Satan
p.s. heh, sure hope I remember to anonymize this comment, so no one knows the real truth -- Al Pacino was only *playing* the Devil!
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
"You wonder where the work ethic has gone in this country." - by EdIII (1114411) on Saturday June 16, @06:56PM (#40347297)
Offshored with the good paying jobs, that's where. Pay people shit? They'll work like shit, & give you that "fine minimum wage effort".
* After all, you do get what you pay for (or rather, don't pay for, or what it's really worth)... paying execs outrageous salaries, & doing "downsizing" layoffs too? LOL, please...
Sorry - they are just NOT worth that kind of salaries + expense accounts... No way, no how.
(Yes - I've worked alongside these people + for them, & most aren't worth a plugged nickell skills OR education-wise, & have the job because they're related to a majority stockholder, OR, were part of the same "frat"...)
APK
P.S.=> Now, executive salaries & expense accounts (& yes, I have seen them in quite a few companies, even Fortune 100-500 level ones) by way of comparison? LMAO - out of this world!
( I don't see them curing AIDS or CANCER for millions per week either, now do I? Nope... nobody is worth THAT kind of ca$h, nobody - not until they perform miracles like curing those maladies @ least, not in my opinion)... apk
.....I'll bet they've got key loggers on your system as well -- SOP at places which do that kind of snooping, guy!
If a corporation cannot look into encrypted data streams going in and out of their corporate network, they cannot properly discover malware intrusions (such as spearphishing and data exfiltration). So this is not optional - it is a necessity if a corporation values the data inside their corporate network.
I thought it is currently considered best practice to move ssh to some other port on any Internet connection.
is insecure? I tend to throw them away after use. I think you'd be hard put to hack that effectively.
OP, you are almost guaranteed to be violating the company's internet use policy, so quit your bitching and stop using your company's internet for personal use on company time.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Fine.
To claim that privacy while using the restroom is the same as privacy while using the computers and network that company is a logical fallacy.
Using the bathroom is a necessary biological function that most of the world [and I'm betting 100% of the people who work in offices] considers private. In fact, there are numerous laws that protect that privacy with very clear rules spelled out.
Using the network of the company that you work for is an optional perk of being employed by that company. The company may be bound by laws requiring them to monitor communication, SOX is a good example of this. Not using the company network is as simple as using a cell phone, laptop, iPad or one of the dozens of other devices that let you surf, call or play while not using their network and resources. Now, there are rules regarding listening in on phone conversations and web sessions, and they should have been clearly spelled out when you started using the network.
Finally, all businesses have restrooms available in some form, only a small percentage let you make calls or have internet access. It is inane to claim that privately using the phone or web through your employer is a right.
..so I've been part of security teams that terminate and inspect SSL; in my experience, lots of organizations do this and it is covered under "provider protection" doctrine which holds that companies may monitor their own networks for security reasons. One of the first things you learn in security is you *don't* want to know what people are browsing or doing; too much information (and it can be quite weird).
I can't speak for everyone, but we followed the spirit of the law; we weren't spying on personal email or other personal business. The reason for doing this is to detect and interdict HTTPs using badness like malware..and most of the time, people wanted to know if the box on their desk where they do their banking had a bot, particularly if they did their banking from it.
> t while the proxy can effectively decrypt your https traffic, noone else can
You only know your session is encrypted between your browser and the proxy.
You cannot check who is at the other side of the proxy (unless perhaps you're the proxy admin).
You don't know whether your session is encrypted between the proxy and the other side. You don't know what grade of encryption is used between the proxy and the website, or whether that traffic is encrypted at all. For all that you know, your company's network admin is a nice honest guy, would never dream of snooping on anyone's traffic, but hasn't noticed that the proxy has been failing all SSL negotiation for the past 14 months and is reverting to no encryption. And even if it doesn't, I've seen commercial websites that provided identity through SSL, but did not encrypt the session. My browser warned me that the traffic is not encrypted. I could check the certificate, see that the other side is who he claims he is, see that the sesion is https but not encrypted, and decide not to use my CC on that site. But would not be able to do so if it were thorough a proxy.
I disagree with this kind of monitoring. Sure, the company has (or might have) the right to do it in many juristictions. It's their network, et cetera, but it most certainly isn't right, especially if they aren't making those whose communications are monitored aware that even https traffic is subject to monitoring -- most people would not assume that. People typically think if the lock icon is in their browser that they are using a secure connection, though in this case, they are not. Furthermore, monitoring https is risky for the company. If someone does exploit the vulnerabilities posed by https monitoring, the firm could be held responsible. We have no real reason to implicitly trust IT or anyone other than the bank to refrain from eavesdropping on our data. History shows us many examples of IT staff breaking laws to steal information and money -- that's not an attack on IT people (I'm in IT myself), it's just that some people do bad things and one shouldn't trust everyone (Especially when they don't trust employees. Trust is mutual). The easiest way to do that is by keeping personal traffic personal. Furthermore, we've all seen articles posted here on Slashdot and elsewhere, revealing that many (most, by some accounts) businesses have been breached or are breached regularly. So criminals can potentially break in to the company network and steal data through this proxy. As for the question over whether or not this issue is one to leave a job over, my quick answer is no. The people who made this decision probably don't have ill intent. They might actually believe they are doing the best thing they can do and this might otherwise be a decent place to work. I would definitely bring up the risks to management in hopes that they will change their posture. If you are considering leaving, consider all the positives and negatives of doing so and put this matter in there (sounds like you'd put it in the negative column). Then do what's best for you and, of course, only resign after signing an employment agreement with a new employer. It sounds like you've already left this place, however, so I hope you're on to something you like better! Hope that provides some good points of consideration. Best, Mike
It is stupid to block wholesale. surely one can request specific videos from the security administrators, a manger could approve the whole thing....
Sorry folks, security brings lots of bureaucracy if one wants to be able to do useful things.
IANAL but write like a drunk one.
You don't hand away all your privacy to your employer just for using their computers, you simply abide by their policies, but that does not mean they have free reign to do wahtever they want with your data.
Ths superceding principle is not to do private stuff in the office, not because you are losing all your privacy, which most likely you aren't, but because you agreed to not doing personal stuff with the company equipment.
IANAL but write like a drunk one.
If you are fool enough to use your employer's computer for banking, healthcare, credit, etc., and especially if you don't think this stuff is routinely intercepted and looked at by employers, prospective employers, etc., notwithstanding HIPAA, FCRA, you should be fired for sheer ignorance or stupidity, but the real reason you will get fired is more likely going to violate federal or state law with relative impunity because an employer can always make up a permissible reason, especially if you get caught doing personal business on the company system. "Anything you say, on or off line, can or will be used against you, if not in a court of law, then at work and in other relationships and transactions." I used to practice with an insurance-defense law firm, and have also represented plaintiffs whose depositions were taken by other insurance-defense firms. Trust me on this, your or your wife or teenage daughter's OB/GYN records or abortion, or having taken antidepressants, are known and likely to be used against you in deposition if not in court. We used to get not only the plaintiffs' but their lawyers' financial data including specifically due dates of major loans. My wife's and my records were quoted in court, complete with details about my best man at our wedding, when I was appointed to represent some children whose father accused their mother of abuse. I was fired from one job at the behest of the health insurer, and called in while a dorm counselor in college, because of a typo that indicated I had a heart attack, which nobody living could correct, and I had never met the woman listed on one hospital's credit and medical records as my wife, nor our alleged child. Having our health insurance through our employers is one of the single worst arrangements ever invented, because it is impossible to segregate such information, especially but not only with self-insured employers where even the weak anti-discrimination provisions don't apply. John McCain got this right.