Slashdot Mirror
Ask Slashdot: What's Your Take On HTTPS Snooping?
First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"
Chances are they will whitelist any sites that may contain personally identifiable information such as banking sites etc. Most places do not want to get into privacy issues like this. Anything else is fair game. Personal e-mail might be a different story, but then again, in some verticals like finanicials, you should not be accessing personal e-mail anyway, per policy of most financial houses. Personal e-mail and the like are avenues for information to easily leave the firm.
Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.
Data leakage.
We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.
We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.
But your Gmail is fair game.
In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.
The fact that you're using IE and isn't allowed to change the certificate store tells me that you don't have admin privileges. If that's case, then your company can already log your every key stroke, so I don't see how HTTPS packet inspection is any more intrusive.
I just avoid doing banking or sensitive transactions on computers that isn't administered by myself or someone that I trust.
I think that this may well be illegal, because even if you consent, the server at the other side of the connection hasn't consented. That means that at least one party to the communication is having their encrypted data intercepted and decrypted by a third party without their knowledge or consent. Wiretap laws apply to both communicating parties. Not aware of any case law, someone needs to actually Sue cisco bluecoat or one of the other ssl intercepting proxy makers to establish legality.
Just do your banking over your phone's carrier network. Your employer can't go there (can they?)
You can't be secure unless you control your egress. If you just let https streams go anywhere with no visibility into their content you might as well just set the firewall to allow all out bound connections. If there is ANY concern about information as an asset, you must intercept and decrypt https.
Your company more than likely has a policy that any use of their equipment is supposed to be for job related purposes, I don't think regular employees should have any expectation you are not watching everything they do on the PC provided by the company.
Usually the certificates are pushed through group policy, anyone else who shows up with their own device or other companies property will get a certificate warning, if they look at the certificate its going to show it was signed by your company. They can make an informed decision about what they want to do knowing they are being watched. So I don't see a problem there.
One thing that gets over looked with SSL intercept is YOU become responsible for the forward authentication and encryption between your proxy since the client now has no opportunity to verify the certificate itself. So you HAD BETTER BE DOING revocation checks and making sure the proxy has a sane list of trusted roots, and serve clients some kinda error page if you can't trust the certificate.
Don't quit you job. Deal with the fact that with all the spy ware and things like flame going on this is what business must do to protect themselves. Do you banking/medical correspondence/etc at home.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
You have zero expectation of privacy at work.
Since about 8 million people have said this now, I think the counterpoint needs to be stated.
You are correct, it IS their network and their rules, but that doesn't mean that it's a good idea for them to be a dick about it. I've worked for several large (over 100,000 employee) companies, and several medium sized (1000-5000) companies, and in every case, it was made clear that we were explicitly permitted to use work computers for minor or occasional personal use such as banking or email, but were expected not to abuse the privilege.
IT and programming type jobs are creative in nature. Sometimes it helps to walk away from a difficult problem for a few minutes to let your mind clear. It was always expected that you get your job done, but trying to enforce that every single moment you're sitting there you must also be working is just crazy. That's not how people are. It's much better to build an environment of mutual respect. That was understood in every job I've held.
Now, if you sit around for hours a day surfing the web, yeah, that's a problem and needs to be dealt with by your management. But if you log into some account to check your 401K for 5 minutes once a day? Getting all up in your face about that is going to be counterproductive; it'll make employees unhappy, and in being unhappy, they will be less productive and more inclined to get up in the company's face.
So you're technically right, but in any sense of wisely running a company, you're not. But of course, many companies are not run wisely...
use your phone as a local wifi hotspot
This would require me to subscribe to a plan with tethering, which is still luxury-priced in the United States market.
No, it just requires that you root your android device.
I am a geek attorney, but not your geek attorney unless you've already retained me. This is not legal advice.
So when you work for a big company, they talk a big game about being part of the team and so forth -- then turn around and treat you like a prisoner. Sure, they are within their rights, but I find it interesting that people like you are willing to defend them.
Palm trees and 8
60+ hour work weeks.
Because work keeps expanding to take up personal time, it's the only way for employees to claw some of it back.
No... it is entirely reasonable not to do anything personal on the company's network.
Just because the Internet made it easier to do online banking, does not mean you can do it on company time and resources. People used to take time to handle their personal affairs, and it was not even possible to do so at work. A change in technology does not make it more ethical to abuse company time and resources.
Security is also a concern as well.
I also have a proxy running at every branch office and very strict enforcement of company policies. Using company resources for personal reasons is grounds for dismissal. No Facebook, No Twitter, No Banking, No Pandora, No anything. The proxy has a whitelist, and if it is required to access something not on the whitelist, a request is made to a supervisor and it goes up the chain.
While I am very strict, and record all access to customer data, block USB ports, etc., I do allow employees to connect their phones and tablets to a separate wireless network. This allows them to still have their crack-addict fix for Facebook, and to isolate themselves with Pandora/Slacker.
Nobody deserves to have the Internet at their fingertips, provided by the company, as some sort of fundamental human right. Even if it were so, nothing says that it should not be separate and kept away from company equipment.
Security Overkill? Ask somebody to had their private medical data, or financial data, or whatever let loose in the wild and see if they really wanted our employees to run freakin wild with the new naive and idealistic BYOD utopian fantasy.
If you think about it.... why does it have to company equipment and company networks? Just about everybody has a smartphone or tablet on them now with access to their own bandwidth that they pay for. It does not have to be the private corporate network as if that was the only solution available.
"Reasonable". Really. What I find curious is the incredible sense of entitlement that some employees have about 24/7/365 Internet access and how any kind of impediment to its use is akin to genocide. Never mind the fact that they are being paid to work and not being paid to spend 10 minutes out of every hour checking Facebook and Twitter.
You wonder where the work ethic has gone in this country.
Before I get accused of being some sort of security fascist, remember that I am providing a completely separate connection for their personal devices and only ask that they restrict all personal needs to said devices.
You have zero expectation of privacy at work.
The fact that people like you keep having to repeat this shows it isn't true. People do have an expectation of privacy at work, whether or not you think they should. I'm sure even you expect some level of privacy. Or do you just assume that your employer is filming you while you use the toilet?
I ran into this with a customer of one of my clients recently. The insurance company was using a setup from Websense to snoop on all HTTPS traffic. As best as I could tell, they were snooping ALL traffic (banking, healthcare included), not just "safe" sites.
Surely this breaks privacy laws in numerous instances. HIPAA? Banking laws? Shoot, there's a federal law that could make snooping in on your NetFlicks traffic (video rentals) illegal. Ironically, if SOPA/PIPA had passed, HTTPS snooping would have been legal.
As for the moral aspect of this, and all the people that say "you shouldn't do personal stuff at work," a few points to keep in mind. 1) Only the IT staff at this company new what was going on. No one outside the IT department could find any reference, or notification. 2) This was REQUIRED on all home PC's that utilized their VPN network (kinda shoots down doing your home stuff at home). 3) From what I was told by their IT staff (remember I was a 3rd party, trying to get our networks connections to work), the IT staff regularly "audited" HTTPS traffic. That means someone in-house was regularly looking at bank account information, and health care information of their fellow employees, and they weren't making this known to the general population within the company.
I tried to get some main stream press attention on this topic a while back. No one would bite.
it is COMPLETELY reasonable to not do anything personal on the internet while you're at work
It is also completely reasonable to not do anything work-related on your own time. Or during your lunch break. But in order to be explicit maybe it's a good idea to also specify the exact amount and duration of toilet breaks. Wouldn't want to anger our corporate overlords, now would we?
Or, alternatively, all parties concerned behave like adults. The boss only calls after hours if it is really important and trusts the employee not to goof off all the time, and in return the employee enjoys a modicum of trust and freedom without going too far.
People replying to my sig annoy me. That's why I change it all the time.
seriously, the sense of entitlement is a little annoying
I know right. I drives me crazy that the company thinks its entitled to encroach on my personal time. My boss call me at home on my day off... who the fuck does he think he is? Or expect me to reply to an email or check voice messages?
And that policy of showing up 10 minutes early? If they want the day to start 10 minutes early then they can pay me for that 10 minutes, and at over time rates to boot.
Seriously, the sense of entitlement some companies have is a little annoying.
If I'm expected to deal with their shit on my time, they can accomodate me dealing with some of my shit on their time.
Mutual respect is where its at.
While I think your policy is pretty sensible (all anyone can ask for, really) the reason people work on company time is usually one of the following:
- you have to work in your spare time, unpaid, to read and review stuff for a hot project. This cuts both ways. People take work home, and home to work.
- you hate your job. Going on internet is a warning sign that you need to find another challenge either within or outside the company or you may have issues with your boss. A smart company will figure out if this is the case and try to find something else to do for either the boss or the person involved.
- you have to work hours that make it impossible to conduct business from home. You compensate by doing stuff like this during lunch.
Ofcourse you may have an occasional saboteur but IMO, most times it's something like this. And if you find people doing this, management should take a good look at who's to blame: are they driving their workers into doing this? In that case firing someone will not solve the issue, just make sure the workplace climate becomes even worse.
Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Hm, I guess times have changed. 15 years ago employing people was regarded as a two-way street, you give us your time and skills to further the company business, and in exchange we give you a salary plus benefits. Benefits included fringy stuff such as "hey we're paying for unlimited long-distance already so feel free to call your mom after hours," "we got color scanners and photocopiers so feel free to scan in your kid's drawing and send it to relatives..."
But even in today's robotic world, you'd think companies would encourage employees to bank, shop, and carry personal communications online from their work computers. The alternative is that employees would take longer breaks to find a way to do the same thing using external devices.
Workplace climates are already going downhill faster and faster.
Please don't get me wrong, I am not supporting asshole companies sucking the life out of employees by paying them less and less, expecting more and more sacrifices, all while siphoning the money away for rich, useless, fucking wastes of space that are the upper executives in most very large companies. Boy have I known some.....
You should be able to have a balanced life and not need to conduct personal affairs at work.
As the CTO, I need to balance so many things. In this instance all I am trying to balance is security versus usability. I need to take very strong measures to prevent data leakage and be aware of it at least after the fact.
That's why I offer paths of least resistance. It's about the wisest thing I do, or at least I think I do. Personally, I don't care what you do at your desk. It's your responsibility to get your tasks done in the time allotted. All I want is for you to not destroy the company while you goof off, and sometimes goofing off for a minute or two can increase productivity and morale (my opinion). In any case, not my job to be the warden.
Normal people lack the sophistication to truly understand, and avoid, the dangers in the world we live in as far as technology is concerned. Hence, the path of least resistance. I make them use their own devices and prevent them from being able to connect to company equipment. Super glu in the USB socket is very effective, but so is disabling it in the OS, which allows them to still use it to charge stuff.
As far as spare time and unpaid work (there should never be such a thing), that is unfortunately not possible with some industries. I simply cannot allow regular employees to take work home, or have unfettered remote access. Some executives have it, because it is not possible to deny them, but it is very vulnerable. I have already had to chastise somebody for using company equipment for porn. Thankfully, I had support from higher up.
I have to be this vigilant. Failure on my part can mean tens of thousand of customers (possibly much higher) hurt because of loss of data. Worse, if it is private and sensitive medical records. I would hope that the CTO of any other company was protecting my data just as well.
why are you banking, shopping, or correspondence at work?
The same reason you would expect a reasonable employer to let you see a dentist or take care of other personal things in a timely fashion. Basic respect.
I can understand how it would be unreasonable for people clocking out from the factory at 5:01 to expect anything beyond scheduled breaks. But for those of us with important, creative jobs, putting in over 60 hours every week, it's pretty heinous to expect us to save our personal lives entirely until we get home at 8:30. Considering that we go the extra mile in IT so often, it would be a little demeaning to treat us like we can't be responsible and reasonable with our Internet use. (Although we've all worked those shops.)
Ask me about my sig!
I'd suggest you look up Man in the Middle attacks (because thats what this is)...
Your browser will /think/ it is connecting to www.securesite.com but its actually connecting to www.companyproxy.com which has issued a (fake / self generated on the fly) certificate for securesite.com and the proxy server then connects itself to the site you were originally attempting to access.
So you think its
You ==> Secure Site
but its actually
You (encrypted to) ==> Proxy ==> Secure Site.
No need for the other endpoints private key at all.
MITM attacks... Google it!
"60+ hour work weeks." should provide ample money to use other connectivity options.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I know what you mean. Personally, I'm disgusted that my decadent coworkers don't even understand how fortunate they are that our glorious <strike>Lord</strike>employer even has running water at work, let alone allows them such outrageous luxuries as furniture and air conditioning.
The sense of entitlement in the modern worker is out of control. I've heard some of them believe they should be provided not only toilets, but toilet paper, without any stipend being taken from their wage at all !
LOL.
This is what I mean by unreasonable entitled douchebags. You prove my point.
What is so wrong about protecting the network from data leakage, AND GIVING YOU UNGRATEFUL BASTARDS A WHOLLY SEPARATE INTERNET CONNECTION TO CONDUCT YOUR PERSONAL AFFAIRS ON YOUR OWN DEVICES ?
It's amazing that my simple request to not do it in a web browser on the same company equipment that has access to customer data is seen as proof of my unholy alliance with corporate america and Satan.
We have someone at work that takes an 30 minutes (no exaggeration) to wash her hands both before and after using the toilet. This person will then call the tech department because she is not competent enough at her job of 20+ years to handle FTP uploads.
I'm not sure how that's relevant to this article, but just because someone can't use FTP doesn't make them useless. Our payroll supervisor calls IT for help to do her rare FTP transfers, yet she's very good at her job. When we were looking at a new payroll system, during the demo (and her first exposure to the system), she pointed out that their tax calculations were wrong. The company argued that it was not, but 90 minutes later after a conference call with a payroll specialist and engineer at the company, they found out that they had indeed set up their test system incorrectly, but no one ever noticed.
FTP isn't a critical job skill for many positions, and even though it's trivial for many Slashdot readers, it's not always trivial to the rest of the world. (i.e. "Why can't I use FTPS, the website says I need sFTP, isn't that the same?" "How do I use Passive mode?" "Binary mode - whats that?")
The "Time to lean, Time to clean." mentality is indicative of crappy fast food quality jobs. Many of us are paid to get a job done, not to 'put in the effort'.
We do something similar where I work. While it's theoretically possible to abuse this and snoop on personal https traffic, it's not worth the time. You are not interesting, your facebook posts are not worth an admin's time. Your personal banking information is not worth the effort to extract. Every potentially useful bit of private information that could harm you being protected by https was already given freely to the company anyway - SSN, Bank account for direct deposit, address, contact info, mother's maiden name, etc. You should be *vastly* more worried about the DBA's than the network admins. And again, you're not important enough for them to mess with it either.
Now, you should still use https at home because maybe some bigger criminal enterprises could make use of unprotected CC numbers or something (assuming they haven't already pwned your box) - but as far as your employer is concerned, there is nothing to fear from an https transparent proxy.
> Many employers have figured out how to intercept HTTPS connections and decode their content.
>If you don't want your employer knowing all your secret information, such as account numbers, login ids, passwords, etc., you should never type any of these things on a work machine.
Or employers should be following the Electronic Data Rights and Privacy Acts, which prohibit them from viewing or using such information?
Two words for the non-smoker: Cigarette Break
Two words for anyone: Think Break. "I need a few minutes to study these drawings and specs uninterrupted. I'll be back in thirty." Then head for Starbucks, taking your personal laptop (or whatever). With all the noise and kafuffle and goofing off and bosses or cow-orkers sticking their noses in all the time in a cubicle farm, this is a necessary part of getting anything done.
Don't you dare tell me "that's not working." Better yet, write it on a yellow sticky, then just leave. And stretch it out to forty-five, at least.
Of course, this assumes you can turn in results, and not just goof off.
"Tongue tied and twisted, just an Earth bound misfit