Ask Slashdot: What's Your Take On HTTPS Snooping?

First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"

They don't enforce snooping on everything

[borv]

Chances are they will whitelist any sites that may contain personally identifiable information such as banking sites etc. Most places do not want to get into privacy issues like this. Anything else is fair game. Personal e-mail might be a different story, but then again, in some verticals like finanicials, you should not be accessing personal e-mail anyway, per policy of most financial houses. Personal e-mail and the like are avenues for information to easily leave the firm.

Re:They don't enforce snooping on everything

[MichaelSmith]

My workplace is pretty open about proxying all https connections and I get the horrors whenever I see a co-worker doing their banking from their desk.

Re:They don't enforce snooping on everything

[WaywardGeek]

My understanding is that very large companies are doing this to save money rather than to snoop on your https sessions. Companies are saving money by locally caching large data sets from electrically far away branches of the same company. When you https into a a company site in another country, you get that nice all secure indicator, even though your company has a caching server in the middle.

That said, large companies have Big Brother watching you all the time. My aunt had to get a guy fired for watching porn at work, because that was part of her job. If you're trying to be sneaky, do it competently, or don't do it at all.

Re:They don't enforce snooping on everything

[hawguy]

Browse your porn (or whatever it is you do that you don't want your employer watching) from your smartphone. Don't use your employer's network if you don't want them to watch what you do.

No.

Fuck 'em if they can't handle the idea people have lives outside of work and sometimes need to deal with those lives.

Morally bankrupt employers who cannot handle the fact that their employees won't spend every second labouring deserve nothing more than contempt.

Which is still more respect than subservient scum like you should be shown.

At my employer, we don't really care if you're using Facebook or other "personal use" on your lunch break or occasionally during the day, but where we draw the line is excessive use or browsing porn because the company has a real liability if someone is browsing porn at their desk, and an employee sees it and makes claim for being in a 'hostile workplace'.

Also, we use simple heuristics to help prevent employees from inadvertently (or purposely) leaking confidential data (credit card numbers, SSN's, etc). While it won't stop a determined employee from taking the data with a USB stick (or encrypting it in a zip file), we've caught a few employees sending data to a personal email account so they can work on it from home. This too is a liability to the company since we're responsible for data breaches.

If you're using facebook for an hour a day, no one cares. But if you're using social networking sites for 6 hours/day, you're going to come under more scrutiny. Just like you'd come under scrutiny if you're a real estate agent spending hours/day talking to clients (which recently happened when a project manager was literally making over 4 hours of calls/day on a company phone, including during business hours and we found out he had a real estate business on the side)

No one is telling you that you can't post on your kid's facebook page during the day, just don't spend hours/day using facebook (and don't try to view adult content at work - hanging a racy picture on your office door will get you a visit with HR, as will having the same racy picture on your monitor)

We don't hide our monitoring policies, everyone signs a statement saying that they read and understand the policy. IT doesn't even look at the reports, they go straight to HR, and they are the ones that decide who is abusing the "incidental personal use" policy. Few companies of substantial size can afford to *not* do monitoring.

Call me a subservient scum if you want to, but if people could be trusted to not abuse personal internet use, we wouldn't have to monitor it. The vast majority of employees don't abuse it, but there's that small percentage that ruin it for everyone.

Re:They don't enforce snooping on everything

[postbigbang]

I'm not sure it's as simple as you state.

The post deals with the fact that https, considered secure and private, are in fact in the cited configuration, an open book. If you use a website for personal use, you have zero expectation of privacy of information that the employer can see or filter.

Your bank balance, your insurance information, what you bought with paypal, it's all revealed. Essentially, they see you through your clothes using a metaphor. They really don't have that right. It's sleazy, like putting a camera in the washroom or company showers.

Sure, you can decide not to use the company restroom. Or its showers. You can decide not to work there. But which of the two is reasonable? I posit that neither is. You have an expectation of privacy. Https and ssl/tls sites ought to be either be white/blacklisted or the user allowed the courtesy and modesty of privacy. To not do so, IMHO, is both inhumane and immoral.

Re:They don't enforce snooping on everything

[Teun]

Sure a warning should be a requirement.

But take my situation right now, for several weeks I'm at a clients remote location, several 100s. of kilometres from the land line or cell tower and we not only want but need and are specifically allowed to do some online banking etc. through their network, would I find out a password had been breached I'd not hesitate a split second to sue the company for being a partner in such an event.

Yes I know I'm under EU jurisdiction where consumers come before companies but non the less...

Re:They don't enforce snooping on everything

It's a good idea to not access personal bank account from company computers anyway.

Well, yes. So you take a different approach.
What you do, is access the secured web site of the health care provider your employer gave you. Then, you file a complaint with HR saying that IT refuses to tell you what information, if any, they are snooping out of the sessions, and that you are highly concerned that they are not properly meeting HIPPA requirements for confidential medical information.

Re:Perspectives

[gellenburg]

Agreed. But the OP's Ask Slashdot isn't about Data Leakage, it's about SSL proxying.

Now, if you WANT to have a discussion about Data Leakage, well then grab a cup of coffee and pull up a chair.

I do this shit for a living.

illegal

[chrb]

I think that this may well be illegal, because even if you consent, the server at the other side of the connection hasn't consented. That means that at least one party to the communication is having their encrypted data intercepted and decrypted by a third party without their knowledge or consent. Wiretap laws apply to both communicating parties. Not aware of any case law, someone needs to actually Sue cisco bluecoat or one of the other ssl intercepting proxy makers to establish legality.

Re:Perspectives

[gellenburg]

Well for starters, most of that work is done by our compliance folks. The group that I'm in just manages the infrastructure.

I'm fairly confident thought that spreadsheets would easily be detectable provided the information wasn't encrypted within the spreadsheets.

Most of the alerts are generated by folks themselves doing personal business while at work.

As for the stuff we might not be able to detect - again - encryption is key (pun intended).

But in all honesty a lot depends on the data classification, which is set by the data owner.

Confidential data is supposed to be encrypted while the data is at rest and while it's in motion.

In that regard the data leakage products aren't going to see it.

(Yes I know a malicious actor could just as easily encrypt our own precious data and send it to themselves undetected.)

Look, security is a balancing act. A company could make their network more secure than it is but no work could get done if they did. No company can be expected to plug all the holes that might exist, but you look for the highest risks with the largest impacts and you mitigate those risks accordingly.

Re:Don't do personal shit at work

[sjames]

Because work keeps expanding to take up personal time, it's the only way for employees to claw some of it back.

Re:Don't do personal shit at work

[EdIII]

Workplace climates are already going downhill faster and faster.

Please don't get me wrong, I am not supporting asshole companies sucking the life out of employees by paying them less and less, expecting more and more sacrifices, all while siphoning the money away for rich, useless, fucking wastes of space that are the upper executives in most very large companies. Boy have I known some.....

You should be able to have a balanced life and not need to conduct personal affairs at work.

As the CTO, I need to balance so many things. In this instance all I am trying to balance is security versus usability. I need to take very strong measures to prevent data leakage and be aware of it at least after the fact.

That's why I offer paths of least resistance. It's about the wisest thing I do, or at least I think I do. Personally, I don't care what you do at your desk. It's your responsibility to get your tasks done in the time allotted. All I want is for you to not destroy the company while you goof off, and sometimes goofing off for a minute or two can increase productivity and morale (my opinion). In any case, not my job to be the warden.

Normal people lack the sophistication to truly understand, and avoid, the dangers in the world we live in as far as technology is concerned. Hence, the path of least resistance. I make them use their own devices and prevent them from being able to connect to company equipment. Super glu in the USB socket is very effective, but so is disabling it in the OS, which allows them to still use it to charge stuff.

As far as spare time and unpaid work (there should never be such a thing), that is unfortunately not possible with some industries. I simply cannot allow regular employees to take work home, or have unfettered remote access. Some executives have it, because it is not possible to deny them, but it is very vulnerable. I have already had to chastise somebody for using company equipment for porn. Thankfully, I had support from higher up.

I have to be this vigilant. Failure on my part can mean tens of thousand of customers (possibly much higher) hurt because of loss of data. Worse, if it is private and sensitive medical records. I would hope that the CTO of any other company was protecting my data just as well.

Re:Perspectives

[gellenburg]

LOL. We're not injecting anything.

We've got a Microsoft Enterprise PKI.

Our own Root CA, Policy CA, and Issuing CA.

All of the machines that are joined to our domain are company-owned workstations and servers.

The Local & Personal Certificate Stores are controlled through Group Policy.

All of our workstations have our internal root certificate already on the machines, and all of our workstations and servers explicitly trust our root certificate.

Again: Our stuff. Our network. Our data. You have no privacy.

If employees stopped conducting themselves like they thought they had privacy while they were surfing the net while they were at work they wouldn't be so shocked and amazed when they find out they have none.

Re:Don't do personal shit at work

[theNAM666]

> Many employers have figured out how to intercept HTTPS connections and decode their content.
>If you don't want your employer knowing all your secret information, such as account numbers, login ids, passwords, etc., you should never type any of these things on a work machine.

Or employers should be following the Electronic Data Rights and Privacy Acts, which prohibit them from viewing or using such information?

Re:Perspectives

[KingSkippus]

sigh... *whoosh!* There goes the point, right over your head. Let me try yet again.

By taking deliberate measures to thwart browsers from popping up warnings that an encrypted communications channel is compromised, companies that use transparent SSL interception techniques are misrepresenting to you that you are on a secure communications channel when in effect you are not.

Or put another way, it's settled law that the company owns all equipment in its buildings, rooms, cameras, etc, at least in the USA. Yet if they install said cameras secretly in the restroom, they can and have been successfully sued for breach of privacy. Your employer does not have unmitigated rights to monitor you. If you're using an open communication channel, that's one thing. But if they are misrepresenting a secured channel (i.e. an HTTPS connection) to you when they are actually spying on you, that's and entirely different matter.

Argue the "no expectation of privacy" argument all you want, but the HTTPS protocol carries an inherent expectation of privacy. If it didn't, banks and other financial institutions wouldn't use it, duh. Taking steps to transparently thwart it is the technological equivalent of installing cameras in a restroom.

And no, it is not settled law, unless you can point to cases that have been fought about SSL interception.

Re:Don't do personal shit at work

[tqk]

Two words for the non-smoker: Cigarette Break

Two words for anyone: Think Break. "I need a few minutes to study these drawings and specs uninterrupted. I'll be back in thirty." Then head for Starbucks, taking your personal laptop (or whatever). With all the noise and kafuffle and goofing off and bosses or cow-orkers sticking their noses in all the time in a cubicle farm, this is a necessary part of getting anything done.

Don't you dare tell me "that's not working." Better yet, write it on a yellow sticky, then just leave. And stretch it out to forty-five, at least.

Of course, this assumes you can turn in results, and not just goof off.

Re:Perspectives

[lars_stefan_axelsson]

Because it would be against the *law*. And their policy obviously state that breaches of the law are to be reported to the police.

Re:Perspectives

[strikethree]

Even the Department of Defense is not as fascist as you/your company. Just wow.

People on US Military networks do have an expectation of privacy. Go poking through someone's email sometime without law enforcement and a ranking officer in the chain of command and see how much time you spend in prison for that. Well, you might not go to prison, depending on the situation, but you will be in a serious world of hurt.

It is the same with files on shares. (There are exceptions for seeing private data in the course of one's duties but it is not anyone's duty to be spying on private stuff on a DoD network (NIPR or SIPR).

Seriously, your company needs to rethink its security goals and realign its policies to match those goals.