Ask Slashdot: What's Your Take On HTTPS Snooping?

First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"

Don't do personal shit at work

Simple as that.

Re:Don't do personal shit at work

[Sorthum]

This was more sensible a decade ago; nowadays with so much of our lives online (banking, shopping, correspondance) it's no longer "reasonable" to not do anything "personal" on the internet while you're at work.

Re:Don't do personal shit at work

[circletimessquare]

why are you banking, shopping, or correspondence at work?

personally, i've done all those things, and i was sneaky and quick about it

never did i expect i had a right to do it

i get paid to work, what do you get paid to do?

it is COMPLETELY reasonable to not do anything personal on the internet while you're at work

seriously, the sense of entitlement is a little annoying

Re:Don't do personal shit at work

[Austerity+Empowers]

60+ hour work weeks.

Re:Don't do personal shit at work

[mrmeval]

Bullshit. I have my own cell phone and laptop. I can get connectivity at work outside of my bosses snooping. If they try and ban that I'll work around it as I've done in the past.

If you want it for free go beg government to give it to you. I'm sure that will work out just fine.

Re:Don't do personal shit at work

[EdIII]

No... it is entirely reasonable not to do anything personal on the company's network.

Just because the Internet made it easier to do online banking, does not mean you can do it on company time and resources. People used to take time to handle their personal affairs, and it was not even possible to do so at work. A change in technology does not make it more ethical to abuse company time and resources.

Security is also a concern as well.

I also have a proxy running at every branch office and very strict enforcement of company policies. Using company resources for personal reasons is grounds for dismissal. No Facebook, No Twitter, No Banking, No Pandora, No anything. The proxy has a whitelist, and if it is required to access something not on the whitelist, a request is made to a supervisor and it goes up the chain.

While I am very strict, and record all access to customer data, block USB ports, etc., I do allow employees to connect their phones and tablets to a separate wireless network. This allows them to still have their crack-addict fix for Facebook, and to isolate themselves with Pandora/Slacker.

Nobody deserves to have the Internet at their fingertips, provided by the company, as some sort of fundamental human right. Even if it were so, nothing says that it should not be separate and kept away from company equipment.

Security Overkill? Ask somebody to had their private medical data, or financial data, or whatever let loose in the wild and see if they really wanted our employees to run freakin wild with the new naive and idealistic BYOD utopian fantasy.

If you think about it.... why does it have to company equipment and company networks? Just about everybody has a smartphone or tablet on them now with access to their own bandwidth that they pay for. It does not have to be the private corporate network as if that was the only solution available.

"Reasonable". Really. What I find curious is the incredible sense of entitlement that some employees have about 24/7/365 Internet access and how any kind of impediment to its use is akin to genocide. Never mind the fact that they are being paid to work and not being paid to spend 10 minutes out of every hour checking Facebook and Twitter.

You wonder where the work ethic has gone in this country.

Before I get accused of being some sort of security fascist, remember that I am providing a completely separate connection for their personal devices and only ask that they restrict all personal needs to said devices.

Re:Don't do personal shit at work

[Jedi+Alec]

it is COMPLETELY reasonable to not do anything personal on the internet while you're at work

It is also completely reasonable to not do anything work-related on your own time. Or during your lunch break. But in order to be explicit maybe it's a good idea to also specify the exact amount and duration of toilet breaks. Wouldn't want to anger our corporate overlords, now would we?

Or, alternatively, all parties concerned behave like adults. The boss only calls after hours if it is really important and trusts the employee not to goof off all the time, and in return the employee enjoys a modicum of trust and freedom without going too far.

Re:Don't do personal shit at work

[vux984]

seriously, the sense of entitlement is a little annoying

I know right. I drives me crazy that the company thinks its entitled to encroach on my personal time. My boss call me at home on my day off... who the fuck does he think he is? Or expect me to reply to an email or check voice messages?

And that policy of showing up 10 minutes early? If they want the day to start 10 minutes early then they can pay me for that 10 minutes, and at over time rates to boot.

Seriously, the sense of entitlement some companies have is a little annoying.

If I'm expected to deal with their shit on my time, they can accomodate me dealing with some of my shit on their time.

Mutual respect is where its at.

Re:Don't do personal shit at work

[St.Creed]

While I think your policy is pretty sensible (all anyone can ask for, really) the reason people work on company time is usually one of the following:
- you have to work in your spare time, unpaid, to read and review stuff for a hot project. This cuts both ways. People take work home, and home to work.
- you hate your job. Going on internet is a warning sign that you need to find another challenge either within or outside the company or you may have issues with your boss. A smart company will figure out if this is the case and try to find something else to do for either the boss or the person involved.
- you have to work hours that make it impossible to conduct business from home. You compensate by doing stuff like this during lunch.

Ofcourse you may have an occasional saboteur but IMO, most times it's something like this. And if you find people doing this, management should take a good look at who's to blame: are they driving their workers into doing this? In that case firing someone will not solve the issue, just make sure the workplace climate becomes even worse.

Re:Don't do personal shit at work

Hm, I guess times have changed. 15 years ago employing people was regarded as a two-way street, you give us your time and skills to further the company business, and in exchange we give you a salary plus benefits. Benefits included fringy stuff such as "hey we're paying for unlimited long-distance already so feel free to call your mom after hours," "we got color scanners and photocopiers so feel free to scan in your kid's drawing and send it to relatives..."

But even in today's robotic world, you'd think companies would encourage employees to bank, shop, and carry personal communications online from their work computers. The alternative is that employees would take longer breaks to find a way to do the same thing using external devices.

Re:Don't do personal shit at work

[icebraining]

Spending 10 minutes of every hour on Facebook probably makes them more productive workers as a whole; the attitude that you have to be working every second from clocking in to clocking out is not only extremely selfish, but also completely stupid since it's bad for the company too.

Re:Don't do personal shit at work

[InsertCleverUsername]

why are you banking, shopping, or correspondence at work?

The same reason you would expect a reasonable employer to let you see a dentist or take care of other personal things in a timely fashion. Basic respect.

I can understand how it would be unreasonable for people clocking out from the factory at 5:01 to expect anything beyond scheduled breaks. But for those of us with important, creative jobs, putting in over 60 hours every week, it's pretty heinous to expect us to save our personal lives entirely until we get home at 8:30. Considering that we go the extra mile in IT so often, it would be a little demeaning to treat us like we can't be responsible and reasonable with our Internet use. (Although we've all worked those shops.)

Re:Don't do personal shit at work

[couchslug]

"60+ hour work weeks." should provide ample money to use other connectivity options.

Re:Don't do personal shit at work

[EdIII]

LOL.

This is what I mean by unreasonable entitled douchebags. You prove my point.

What is so wrong about protecting the network from data leakage, AND GIVING YOU UNGRATEFUL BASTARDS A WHOLLY SEPARATE INTERNET CONNECTION TO CONDUCT YOUR PERSONAL AFFAIRS ON YOUR OWN DEVICES ?

It's amazing that my simple request to not do it in a web browser on the same company equipment that has access to customer data is seen as proof of my unholy alliance with corporate america and Satan.

Re:Don't do personal shit at work

[hawguy]

We have someone at work that takes an 30 minutes (no exaggeration) to wash her hands both before and after using the toilet. This person will then call the tech department because she is not competent enough at her job of 20+ years to handle FTP uploads.

I'm not sure how that's relevant to this article, but just because someone can't use FTP doesn't make them useless. Our payroll supervisor calls IT for help to do her rare FTP transfers, yet she's very good at her job. When we were looking at a new payroll system, during the demo (and her first exposure to the system), she pointed out that their tax calculations were wrong. The company argued that it was not, but 90 minutes later after a conference call with a payroll specialist and engineer at the company, they found out that they had indeed set up their test system incorrectly, but no one ever noticed.

FTP isn't a critical job skill for many positions, and even though it's trivial for many Slashdot readers, it's not always trivial to the rest of the world. (i.e. "Why can't I use FTPS, the website says I need sFTP, isn't that the same?" "How do I use Passive mode?" "Binary mode - whats that?")

Re:Don't do personal shit at work

[Belial6]

The "Time to lean, Time to clean." mentality is indicative of crappy fast food quality jobs. Many of us are paid to get a job done, not to 'put in the effort'.

Re:Don't do personal shit at work

[jc42]

And that policy of showing up 10 minutes early? If they want the day to start 10 minutes early then they can pay me for that 10 minutes, and at over time rates to boot. Seriously, the sense of entitlement some companies have is a little annoying.

It's not a sense of entitlement; it's a sense of power over you.

This story just helps get out a bit of advice that's of growing importance: Many employers have figured out how to intercept HTTPS connections and decode their content. If you don't want your employer knowing all your secret information, such as account numbers, login ids, passwords, etc., you should never type any of these things on a work machine. Chances are they've also installed keystroke recording software, ostensibly to monitor your "productivity", but also to give them copies of all your private account information if you ever type it at work. They will eventually use this against you. This is the way that the business world has gone. You should know about it, and be aware of it at all times.

Note also that we've heard from a lot of people here who think this is all right and proper. To them, and to many companies, you have no rights at all during work hours. This is the way things have gone.

Re:Don't do personal shit at work

[hackwrench]

No, no it isn't One definition, obviously not quite the one either of us are using is:
right granted by law or contract (especially a right to benefits)
The one I use is that an entitlement is something that something has the right to possess by virtue of it's form, such as a bird is entitled to fly.
http://en.wikipedia.org/wiki/Entitlement has more.
Raison d'être goes along with a healthy sense of entitlement. I can agree that there can be an unhealthy sense of entitlement, but you hold a definition of entitlement that cannot allow for a healthy sense of entitlement. To a certain degree, we are all entitled to our lots in life, but at least some of us are also entitled to become more that what we are now. I almost said all of us, but with people lacking a healthy sense of entitlement, I have my doubts. Entitlement is also I deserve a decent parking spot, I am entitled to be able to wait in line the same as you, I am entitled to take what I want that no one else wants, and I am entitled not to be stopped just because of some arbitrary rule alone.
Also see http://en.wikipedia.org/wiki/Adverse_possession

Re:They don't enforce snooping on everything

[lindi]

It's a good idea to not access personal bank account from company computers anyway.

Re:Perspectives

[guruevi]

Data leakage can be done a myriad of other ways. And by the time you actually have analyzed the data (if anyone even looks at the reports after 2 weeks) the damage has already been done.

No worst than key loggers

[zill]

The fact that you're using IE and isn't allowed to change the certificate store tells me that you don't have admin privileges. If that's case, then your company can already log your every key stroke, so I don't see how HTTPS packet inspection is any more intrusive.

I just avoid doing banking or sensitive transactions on computers that isn't administered by myself or someone that I trust.

Don't work there

[guruevi]

If they don't trust you, you shouldn't trust them. If they're trying to snoop on you for whatever reason, they think you're a criminal. Would you work for the RIAA? Would you work for a boss who every time you come in he says "you're a criminal" and then proceeds to look over your shoulder all day? No and you shouldn't accept such behavior from employers.

Leave your job, no. Do your job, yes.

[MacTO]

There are various reasons why you should not be using your employers computers for personal use. One is that you are using company resources for non-business purposes. And that is something that you don't do unless you have your boss' blessing.

Re:Zoals de waard is, vertrouwt hij zijn gasten

[brusk]

In security, you have to start with the assumption that everyone is untrustworthy until proven otherwise.

Re:Perspectives

[Reschekle]

There is NO expectation of privacy on a private network.

Re:You have no right to privacy at work

You have zero expectation of privacy at work.

Since about 8 million people have said this now, I think the counterpoint needs to be stated.

You are correct, it IS their network and their rules, but that doesn't mean that it's a good idea for them to be a dick about it. I've worked for several large (over 100,000 employee) companies, and several medium sized (1000-5000) companies, and in every case, it was made clear that we were explicitly permitted to use work computers for minor or occasional personal use such as banking or email, but were expected not to abuse the privilege.

IT and programming type jobs are creative in nature. Sometimes it helps to walk away from a difficult problem for a few minutes to let your mind clear. It was always expected that you get your job done, but trying to enforce that every single moment you're sitting there you must also be working is just crazy. That's not how people are. It's much better to build an environment of mutual respect. That was understood in every job I've held.

Now, if you sit around for hours a day surfing the web, yeah, that's a problem and needs to be dealt with by your management. But if you log into some account to check your 401K for 5 minutes once a day? Getting all up in your face about that is going to be counterproductive; it'll make employees unhappy, and in being unhappy, they will be less productive and more inclined to get up in the company's face.

So you're technically right, but in any sense of wisely running a company, you're not. But of course, many companies are not run wisely...

Re:For all the people okay with it

[ledow]

Phone call I make? "This call may be recorded for training purposes".

Mail I send? Hell, yes, they should know what they are paying to post.

E-Mail I send? "The views in this email... blah blah blah... this email may be recorded".

Eavesdropping and brainwaves - There you have the already-imposed limit of it going "too far" anyway, and arguments into absurdity don't make your point - they just make you look stupid. "What next, they gonna come to my home and tell me I haven't been to work today and stop my salaray going into my bank account??!?!?!?"

But while you're an agent of the company, everything you do on company time, using company facilities, that communicates outside the company? It's ALREADY being monitored. Don't like it? Don't use company resources on company time to do your online banking (Why the hell would you do that anyway, and what would you have done 20 years ago when you COULDN'T do that?). Using personal internet connections on company time may still be a breach too, because you're supposed to be fucking working.

Nobody CARES about your phone call to your wife, or how much you have in your bank. I assure you, the IT department don't give a shit and wouldn't let anyone else just eavesdrop on private things anyway. But while you're being paid to work, bloody work, and you do so as a representative of the company. That means they can know exactly WHAT you're doing while you're supposed to be working (i.e. Did you call that customer a tosser? Are you defaming them on Facebook? Have you just obtained insider info from your pal at your rival?.

And in your lunch hour? They have no more requirement to supply you with a connection to Facebook or anything else than they have to give you a pool table in the staff room. The fact that it will get sniffed is neither here nor there - they just monitor everything and it's a workplace so you're supposed to be working.

You're at work. Get over it. If it worries you, use your own device and connection. /me longs for the day when WORK meant WORK, and I'm not even an employer. I can't tell you how much slacking off I see on smartphones, Facebook, etc. Fine, if nothing NEEDS to be done at that moment but then I see those same people whinging about deadlines and pressure.

Re:Perspectives

[Reschekle]

I think the important point to take home is that while there are ways to get around these transparent proxies that they cannot ultimately defeat, it is surely going to be logged and likely set off an alarm bell somewhere that you're tunneling garbage or seemingly-random data. Ultimately, the result of a proxied SSL session should be lots of recognizable text, maybe some graphics, and possibly email attachments. If what they see is something else, then it's clear someone is trying to rig the system.

You're on company property using their resources, they're free to kick you out once they see you're trying to hide information from them.

Of course, if the point is to STOP all leaks, then obviously they cannot do that as your method would allow you to leak information before you can be stopped. But you will be flagged.

Re:They don't enforce snooping on everything

[awrowe]

So "if you have nothing to hide you have nothing to fear"? That is the biggest pile of cocksucking mindless groupthink around. This kind of thinking leads to the overturn of the concept of innocence before proven guilt. Whether a person is planning hideous treason or just checking facebook to see what aunt Mabel thinks of the fried pineapple she had for breakfast, if we allow that basic privacy to be intruded upon, then we might as well give up the pretence of a free society. Privacy is there for a reason. The fact data can be collected doesn't mean it should be.

Re:You have no right to privacy at work

[Fred+Ferrigno]

You have zero expectation of privacy at work.

The fact that people like you keep having to repeat this shows it isn't true. People do have an expectation of privacy at work, whether or not you think they should. I'm sure even you expect some level of privacy. Or do you just assume that your employer is filming you while you use the toilet?

Re:They don't enforce snooping on everything

I think you misunderstand the GP's point. You're using your employer's resources and on the clock, so you really shouldn't be doing things your employer wouldn't endorse, or at least approve of. What you do on your own time is damn well your own business, but what you do at work isn't.

Re:Perspectives

[KingSkippus]

Bullshit. There are laws against companies doing things like installing hidden cameras in the employee restrooms. This is the technological equivalent and should be just as illegal. I don't mind monitoring data flow. Although I think blocking things such as Gmail is stupid, at least the company is being up front about what they're doing.

But transparent SSL interception is deliberately posing to someone that they are communicating via a private channel when in fact they are not. It's just as egregious as telling employees, "You can change clothes in here, there aren't any cameras," when in fact there are and they're recording. It should be illegal, period.

This is the shit that criminals do, and any company that engages in this behavior should be thought of exactly in that light.

Re:They don't enforce snooping on everything

[rikkards]

You're right there is a problem you are using company hardware for personal use. They have to give you a lunch break, They don't have to give you Internet access for personal use. As long as they warn you of what they are doing there is no issue in my opinion

Re:Perspectives

[cmdrbuzz]

I hope you are not doing this in the UK... Its a breach of both the Data Protection Act and the Human Rights Act.

And whilst we (I work for a very large bank in the UK) block email and (lots) of other sites, just accessing (or attempting to) would not be a HR matter. e.g. we block youtube, and the amount of IT sites that include embedded links to videos (that are then blocked by the proxy server) are insane. Its hardly someones fault that it "looks like" they were trying to access a blocked site, when they didn't even know it was embedded in the webpage they meant to access. Same goes for twitter links, Facebook like links etc.

We are strongly regulated and log lots of things, but I would be concerned by your words of things like "fair game" etc. If it was found that IT (or anyone) looked through a users web history, or emails / phone calls etc without permission from HR, Legal and Director level management, that person would be handed over on a plate to the police.

Re:They don't enforce snooping on everything

[hawguy]

Fair enough. I get a half hour break for lunch, during which I have been informed I may use the company internet connection. If they are snooping my https details during that period, we have a problem captain.

Browse your porn (or whatever it is you do that you don't want your employer watching) from your smartphone. Don't use your employer's network if you don't want them to watch what you do.

At my company, we tell employees that they are free to use computers for personal use on breaks, but we also tell them that we monitor usage and recommend that they not use our network for anything of a private or personal nature.

Re:Perspectives

[KingSkippus]

So I'll ask yet again, why are you so averse to the warning that the SSL connection that the employees are using isn't secure?

Our stuff. Our network. Our data. You have no privacy

Again, with the "Our building. Our restroom. Our cameras. You have no privacy." rationale, apparently.

Re:They don't enforce snooping on everything

[Joe+U]

They can handle it.

Let's go back in time to 1980, and pretend we're using the company phone to talk to a friend during lunch.

Do you think the company didn't know who you were communicating with?
Do you think they didn't have the ability to listen in without you knowing?

Of course they had those abilities, and some people did get fired over making personal calls.

Don't like the policy? There's a pay phone in the lobby.

Now, back to 2012. Calls are replaced with web and email.

Why the fuck should they change? It's their network, they get the ability to see who you are talking to and what you are saying. The pay phone was replaced with your smartphone, don't like their policy, use your own phone.

Stop whining about a perk. You get them on their terms.

Re:They don't enforce snooping on everything

[b4dc0d3r]

You are vastly confused here. There are many points conflated in your post.

1) Employer's policy about what is allowed using their resources
2) Employer's requirements about how much time you spend doing productive work
2) Monitoring employees' activities
3) Implementing a man-n-the-middle attack (transparent HTTPS)

The first three are off topic here - whether what you are doing is allowed or not doesn't matter. "Don't use your employer's network if you don't want them to watch what you do." I don't see how it could be any simpler. They provide the resources and a paycheck. If you don't like their policies, quit. If you can't quit, you're stuck.

If you have something pop up that will interrupt your work, you have to make that decision regardless of whether technology is involved. That's the part about having a life outside of work.

If you do decide you have to take care of it, and it involves an internet connection, don't expect that monitoring will be turned off. If you don't accept that risk, you have the traditional solutions. Call instead of using a website, ask for emergency time off, quit, or whatever else you can think of to avoid being snooped.

You're not important enough to matter

[ImprovOmega]

We do something similar where I work. While it's theoretically possible to abuse this and snoop on personal https traffic, it's not worth the time. You are not interesting, your facebook posts are not worth an admin's time. Your personal banking information is not worth the effort to extract. Every potentially useful bit of private information that could harm you being protected by https was already given freely to the company anyway - SSN, Bank account for direct deposit, address, contact info, mother's maiden name, etc. You should be *vastly* more worried about the DBA's than the network admins. And again, you're not important enough for them to mess with it either.

Now, you should still use https at home because maybe some bigger criminal enterprises could make use of unprotected CC numbers or something (assuming they haven't already pwned your box) - but as far as your employer is concerned, there is nothing to fear from an https transparent proxy.

Re:They don't enforce snooping on everything

[epyT-R]

too bad many employers don't show their employees the same respect when employees are on their own time with their own resources.

Re:They don't enforce snooping on everything

[Golddess]

Funny how you use personal phone calls in a pre-internet era as an example justifying internet snooping, since I see it as justification for forbidding such snooping. Myself, my lawyer, and my doctor all work at roughly the same time. Which is also the same time that my kid is in school. Is it unreasonable for me to expect to be able to privately communicate with any of my doctor, my lawyer, or the school administrators during my working hours?

If personal use of company resources is a problem, it will show up in the employee's performance. If the employee's performance is not impacted, then why the fuck does it matter?

Do you think the company didn't know who you were communicating with?
Do you think they didn't have the ability to listen in without you knowing?

Of course they had those abilities, and some people did get fired over making personal calls.

I'm sure employers could, but I find it hard to believe that such routine monitoring would have been accepted for the above reasons. And were the employees fired because of the snooping on their phone calls, or because the employees became lax in their duties as a result of making personal phone calls? Actually, I'm not even sure how one could go about proving either side, since given the entire bloody planet I'm sure we could each find hundreds of cases to support our side.

Stop whining about a perk. You get them on their terms.

Careful, that's dangerously close to "you are not a starving kid in Africa, therefore you have no right to complain" thinking.

Do your banking at home

[Compaqt]

Good point.

But, in any case, why are you working on your personal bank account at work?

What to do: When you go to work, work. Do it well for 8 hours. Then go home. Watch TV, the news, do your banking (if you're one of those people that needs to compulsively check their balance online). Facebook, email, skype your friends.

What not to do: Spend 10-12 hours at the office, and 4 of those are just goofing off. Watch Youtube, read the news and ESPN. Facebook, email, skype your friends. Do your personal banking at work.

Re:They don't enforce snooping on everything

[Xest]

Indeed, I've always just worked on the principle that if I'm doing something on the internet from work, it's more likely someone could be watching.

If it's something that could thus get me in trouble, or cause problems, I wouldn't do it from work, it's as simple as that.

Thankfully I've always had jobs where things like reading the news online, using Facebook or whatever are accepted, so I've never found it to be a problem.

For me it's not even that I believe for a second my employer right now for example would snoop. It's about the fact that it's not a network I control, so I just don't trust it like I do my home network. The same goes for things like airport Wifi, Cybercafes etc. - I don't know the networks well enough to fully trust, so I don't do things on them that require a level of trust.

So to answer the original question, not, I don't think it's worth leaving your job over, the only reason to leave your job is if you do not like your job (whether it's because of pay, conditions, enjoyability of the work itself or whatever), which is a different issue that takes into account far more factors.

Re:Perspectives

[cmdrbuzz]

Yup, as Lar's said, its a criminal act (snooping on peoples private communications is not allowed. RIPA and the Computer Misuse Act would be the first two that come to mind).

I've seen what happened when a (non-IT) user put a keyboard logger (one of those hardwired plug in ones) into a managers keyboard to capture her password, then try and use her access to authorize a 20k loan payment. Police + FSA = Carnage. Marched out in hand-cuffs...