Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What's Your Take On HTTPS Snooping?

Posted by timothy on from the note-from-the-principal's-office dept.

First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"

8 of 782 comments (clear)

  1. Perspectives by gellenburg · · Score: 5, Informative

    Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.

    Data leakage.

    We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.

    We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.

    But your Gmail is fair game.

  2. Zoals de waard is, vertrouwt hij zijn gasten by El_Muerte_TDS · · Score: 5, Informative

    In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.

  3. Re:They don't enforce snooping on everything by Bengie · · Score: 4, Informative

    On the other side of thing Flame only affected networks designed this way because the HTTPS proxy was claiming all of the data was "trusted" when it was not.

    When a company uses HTTPS proxies, it's just making it so all of the client browsers trust every HTTPS website.

    Yes, HTTPS proxies save money, but so does not using any security.

  4. Re:Trusting them as root CA doesnt mean that... by cmdrbuzz · · Score: 5, Informative

    I'd suggest you look up Man in the Middle attacks (because thats what this is)...

    Your browser will /think/ it is connecting to www.securesite.com but its actually connecting to www.companyproxy.com which has issued a (fake / self generated on the fly) certificate for securesite.com and the proxy server then connects itself to the site you were originally attempting to access.

    So you think its

    You ==> Secure Site
    but its actually

    You (encrypted to) ==> Proxy ==> Secure Site.

    No need for the other endpoints private key at all.

    MITM attacks... Google it!

  5. Re:They don't enforce snooping on everything by hawguy · · Score: 5, Informative

    If you're using social networking sites for 6 hours a day, then you're clearly not going to be able to perform your work duties. If you _are_ able to complete your work duties, then the fact you're spending 6 hours a day on Facebook is irrelevant.

    The scenario you are describing is a failing of the manager, not the employee.

    Isn't it a failing of the manager *and* the employee? If a manager lets an employee get away with hours of wasted time, the company still wants to know about it.

    Call me a subservient scum if you want to, but if people could be trusted to not abuse personal internet use, we wouldn't have to monitor it. The vast majority of employees don't abuse it, but there's that small percentage that ruin it for everyone.

    I call you subservient scum not because you are looking for the minority, but because you are using their actions to try and morally justify intrusive monitoring of everybody.

    You are no different to the "think of the children" or the "if it catches one terrorist it was worth it" brigades. You're just operating on a smaller scale.

    We're looking for the minority because those are the ones that are going to cost the company money. The legal costs in defending a single hostile workplace complaint suit can easily exceed the cost of the monitoring system, and the company faces even greater loses if they lose the suit. Workplace internet monitoring has become so commonplace that if we are not doing it, then that shows that we're not taking prudent measures to prevent abuse making it harder to defend against a lawsuit. If you don't like it, then talk to your legislators and get a law passed prohibiting workplace internet monitoring *and* shielding employers from litigation based on improper internet use by employees.

    Believe me, your IT department doesn't want to monitor your internet use anymore than you do, but we don't often get to say "no" to projects when it comes down to shielding the company from risk.

    But nowadays, smartphones are so common and powerful that there's really no excuse for using your employer's network for anything private - I don't even check my personal email through work's network any more, I just read it on my phone. I don't want them to read it, so I keep my personal traffic off their network.

    So rather than complain that the company is looking over your shoulder when you're using their computer and their network, just use your own.

  6. Re:They don't enforce snooping on everything by thermowax · · Score: 5, Informative

    Wrong.

    The https proxy server is trusted as a signing CA. It generates server certs real-time for any requested https content, then retrieves the content for you on the other side- via it's own https session- before sending it back to you. Since the proxy is trusted by your browser, it doesn't complain.

    Without getting into a protracted discussion about x.509 certs and their completely fucked implementation, suffice to say that while the proxy can effectively decrypt your https traffic, noone else can. There's still a reasonable amount of security there.

    Although it depends a great deal on the proxy admin to keep it secure...

  7. Re:They don't enforce snooping on everything by _Shad0w_ · · Score: 5, Informative

    If you want to get fired for circumventing company network policy there are less laborious ways of doing it.

    --

    Yeah, I had a sig once; I got bored of it.

  8. Re:They don't enforce snooping on everything by SpzToid · · Score: 4, Informative

    When your job is no more than book-keeping at Joe's Garage you can pull this off. If you work in an organization of any size with measurable risk, then if you pull this stunt you will be escorted to the door. If you do not believe me, then I suggest your friendly search engine might help you, although the same has been stated on slashdot many many times.

    --
    You can't be ahead of the curve, if you're stuck in a loop.