Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What's Your Take On HTTPS Snooping?

Posted by timothy on from the note-from-the-principal's-office dept.

First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"

20 of 782 comments (clear)

  1. They don't enforce snooping on everything by borv · · Score: 5, Interesting

    Chances are they will whitelist any sites that may contain personally identifiable information such as banking sites etc. Most places do not want to get into privacy issues like this. Anything else is fair game. Personal e-mail might be a different story, but then again, in some verticals like finanicials, you should not be accessing personal e-mail anyway, per policy of most financial houses. Personal e-mail and the like are avenues for information to easily leave the firm.

    1. Re:They don't enforce snooping on everything by lindi · · Score: 5, Insightful

      It's a good idea to not access personal bank account from company computers anyway.

    2. Re:They don't enforce snooping on everything by Anonymous Coward · · Score: 5, Insightful

      I think you misunderstand the GP's point. You're using your employer's resources and on the clock, so you really shouldn't be doing things your employer wouldn't endorse, or at least approve of. What you do on your own time is damn well your own business, but what you do at work isn't.

    3. Re:They don't enforce snooping on everything by hawguy · · Score: 5, Informative

      If you're using social networking sites for 6 hours a day, then you're clearly not going to be able to perform your work duties. If you _are_ able to complete your work duties, then the fact you're spending 6 hours a day on Facebook is irrelevant.

      The scenario you are describing is a failing of the manager, not the employee.

      Isn't it a failing of the manager *and* the employee? If a manager lets an employee get away with hours of wasted time, the company still wants to know about it.

      Call me a subservient scum if you want to, but if people could be trusted to not abuse personal internet use, we wouldn't have to monitor it. The vast majority of employees don't abuse it, but there's that small percentage that ruin it for everyone.

      I call you subservient scum not because you are looking for the minority, but because you are using their actions to try and morally justify intrusive monitoring of everybody.

      You are no different to the "think of the children" or the "if it catches one terrorist it was worth it" brigades. You're just operating on a smaller scale.

      We're looking for the minority because those are the ones that are going to cost the company money. The legal costs in defending a single hostile workplace complaint suit can easily exceed the cost of the monitoring system, and the company faces even greater loses if they lose the suit. Workplace internet monitoring has become so commonplace that if we are not doing it, then that shows that we're not taking prudent measures to prevent abuse making it harder to defend against a lawsuit. If you don't like it, then talk to your legislators and get a law passed prohibiting workplace internet monitoring *and* shielding employers from litigation based on improper internet use by employees.

      Believe me, your IT department doesn't want to monitor your internet use anymore than you do, but we don't often get to say "no" to projects when it comes down to shielding the company from risk.

      But nowadays, smartphones are so common and powerful that there's really no excuse for using your employer's network for anything private - I don't even check my personal email through work's network any more, I just read it on my phone. I don't want them to read it, so I keep my personal traffic off their network.

      So rather than complain that the company is looking over your shoulder when you're using their computer and their network, just use your own.

    4. Re:They don't enforce snooping on everything by thermowax · · Score: 5, Informative

      Wrong.

      The https proxy server is trusted as a signing CA. It generates server certs real-time for any requested https content, then retrieves the content for you on the other side- via it's own https session- before sending it back to you. Since the proxy is trusted by your browser, it doesn't complain.

      Without getting into a protracted discussion about x.509 certs and their completely fucked implementation, suffice to say that while the proxy can effectively decrypt your https traffic, noone else can. There's still a reasonable amount of security there.

      Although it depends a great deal on the proxy admin to keep it secure...

    5. Re:They don't enforce snooping on everything by Golddess · · Score: 5, Insightful
      Funny how you use personal phone calls in a pre-internet era as an example justifying internet snooping, since I see it as justification for forbidding such snooping. Myself, my lawyer, and my doctor all work at roughly the same time. Which is also the same time that my kid is in school. Is it unreasonable for me to expect to be able to privately communicate with any of my doctor, my lawyer, or the school administrators during my working hours?

      If personal use of company resources is a problem, it will show up in the employee's performance. If the employee's performance is not impacted, then why the fuck does it matter?

      Do you think the company didn't know who you were communicating with?
      Do you think they didn't have the ability to listen in without you knowing?

      Of course they had those abilities, and some people did get fired over making personal calls.

      I'm sure employers could, but I find it hard to believe that such routine monitoring would have been accepted for the above reasons. And were the employees fired because of the snooping on their phone calls, or because the employees became lax in their duties as a result of making personal phone calls? Actually, I'm not even sure how one could go about proving either side, since given the entire bloody planet I'm sure we could each find hundreds of cases to support our side.

      Stop whining about a perk. You get them on their terms.

      Careful, that's dangerously close to "you are not a starving kid in Africa, therefore you have no right to complain" thinking.

      --
      "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-
    6. Re:They don't enforce snooping on everything by Anonymous Coward · · Score: 5, Interesting

      It's a good idea to not access personal bank account from company computers anyway.

      Well, yes. So you take a different approach.
      What you do, is access the secured web site of the health care provider your employer gave you. Then, you file a complaint with HR saying that IT refuses to tell you what information, if any, they are snooping out of the sessions, and that you are highly concerned that they are not properly meeting HIPPA requirements for confidential medical information.

    7. Re:They don't enforce snooping on everything by _Shad0w_ · · Score: 5, Informative

      If you want to get fired for circumventing company network policy there are less laborious ways of doing it.

      --

      Yeah, I had a sig once; I got bored of it.

  2. Perspectives by gellenburg · · Score: 5, Informative

    Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.

    Data leakage.

    We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.

    We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.

    But your Gmail is fair game.

    1. Re:Perspectives by guruevi · · Score: 5, Insightful

      Data leakage can be done a myriad of other ways. And by the time you actually have analyzed the data (if anyone even looks at the reports after 2 weeks) the damage has already been done.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    2. Re:Perspectives by Reschekle · · Score: 5, Insightful

      I think the important point to take home is that while there are ways to get around these transparent proxies that they cannot ultimately defeat, it is surely going to be logged and likely set off an alarm bell somewhere that you're tunneling garbage or seemingly-random data. Ultimately, the result of a proxied SSL session should be lots of recognizable text, maybe some graphics, and possibly email attachments. If what they see is something else, then it's clear someone is trying to rig the system.

      You're on company property using their resources, they're free to kick you out once they see you're trying to hide information from them.

      Of course, if the point is to STOP all leaks, then obviously they cannot do that as your method would allow you to leak information before you can be stopped. But you will be flagged.

    3. Re:Perspectives by KingSkippus · · Score: 5, Insightful

      Bullshit. There are laws against companies doing things like installing hidden cameras in the employee restrooms. This is the technological equivalent and should be just as illegal. I don't mind monitoring data flow. Although I think blocking things such as Gmail is stupid, at least the company is being up front about what they're doing.

      But transparent SSL interception is deliberately posing to someone that they are communicating via a private channel when in fact they are not. It's just as egregious as telling employees, "You can change clothes in here, there aren't any cameras," when in fact there are and they're recording. It should be illegal, period.

      This is the shit that criminals do, and any company that engages in this behavior should be thought of exactly in that light.

    4. Re:Perspectives by cmdrbuzz · · Score: 5, Insightful

      I hope you are not doing this in the UK... Its a breach of both the Data Protection Act and the Human Rights Act.

      And whilst we (I work for a very large bank in the UK) block email and (lots) of other sites, just accessing (or attempting to) would not be a HR matter. e.g. we block youtube, and the amount of IT sites that include embedded links to videos (that are then blocked by the proxy server) are insane. Its hardly someones fault that it "looks like" they were trying to access a blocked site, when they didn't even know it was embedded in the webpage they meant to access. Same goes for twitter links, Facebook like links etc.

      We are strongly regulated and log lots of things, but I would be concerned by your words of things like "fair game" etc. If it was found that IT (or anyone) looked through a users web history, or emails / phone calls etc without permission from HR, Legal and Director level management, that person would be handed over on a plate to the police.

  3. Zoals de waard is, vertrouwt hij zijn gasten by El_Muerte_TDS · · Score: 5, Informative

    In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.

  4. Re:You have no right to privacy at work by Anonymous Coward · · Score: 5, Insightful

    You have zero expectation of privacy at work.

    Since about 8 million people have said this now, I think the counterpoint needs to be stated.

    You are correct, it IS their network and their rules, but that doesn't mean that it's a good idea for them to be a dick about it. I've worked for several large (over 100,000 employee) companies, and several medium sized (1000-5000) companies, and in every case, it was made clear that we were explicitly permitted to use work computers for minor or occasional personal use such as banking or email, but were expected not to abuse the privilege.

    IT and programming type jobs are creative in nature. Sometimes it helps to walk away from a difficult problem for a few minutes to let your mind clear. It was always expected that you get your job done, but trying to enforce that every single moment you're sitting there you must also be working is just crazy. That's not how people are. It's much better to build an environment of mutual respect. That was understood in every job I've held.

    Now, if you sit around for hours a day surfing the web, yeah, that's a problem and needs to be dealt with by your management. But if you log into some account to check your 401K for 5 minutes once a day? Getting all up in your face about that is going to be counterproductive; it'll make employees unhappy, and in being unhappy, they will be less productive and more inclined to get up in the company's face.

    So you're technically right, but in any sense of wisely running a company, you're not. But of course, many companies are not run wisely...

  5. Re:Don't do personal shit at work by Austerity+Empowers · · Score: 5, Insightful

    60+ hour work weeks.

  6. Re:Don't do personal shit at work by Jedi+Alec · · Score: 5, Insightful

    it is COMPLETELY reasonable to not do anything personal on the internet while you're at work

    It is also completely reasonable to not do anything work-related on your own time. Or during your lunch break. But in order to be explicit maybe it's a good idea to also specify the exact amount and duration of toilet breaks. Wouldn't want to anger our corporate overlords, now would we?

    Or, alternatively, all parties concerned behave like adults. The boss only calls after hours if it is really important and trusts the employee not to goof off all the time, and in return the employee enjoys a modicum of trust and freedom without going too far.

    --

    People replying to my sig annoy me. That's why I change it all the time.
  7. Re:Don't do personal shit at work by vux984 · · Score: 5, Insightful

    seriously, the sense of entitlement is a little annoying

    I know right. I drives me crazy that the company thinks its entitled to encroach on my personal time. My boss call me at home on my day off... who the fuck does he think he is? Or expect me to reply to an email or check voice messages?

    And that policy of showing up 10 minutes early? If they want the day to start 10 minutes early then they can pay me for that 10 minutes, and at over time rates to boot.

    Seriously, the sense of entitlement some companies have is a little annoying.

    If I'm expected to deal with their shit on my time, they can accomodate me dealing with some of my shit on their time.

    Mutual respect is where its at.

  8. Re:Trusting them as root CA doesnt mean that... by cmdrbuzz · · Score: 5, Informative

    I'd suggest you look up Man in the Middle attacks (because thats what this is)...

    Your browser will /think/ it is connecting to www.securesite.com but its actually connecting to www.companyproxy.com which has issued a (fake / self generated on the fly) certificate for securesite.com and the proxy server then connects itself to the site you were originally attempting to access.

    So you think its

    You ==> Secure Site
    but its actually

    You (encrypted to) ==> Proxy ==> Secure Site.

    No need for the other endpoints private key at all.

    MITM attacks... Google it!

  9. Re:Don't do personal shit at work by hawguy · · Score: 5, Insightful

    We have someone at work that takes an 30 minutes (no exaggeration) to wash her hands both before and after using the toilet. This person will then call the tech department because she is not competent enough at her job of 20+ years to handle FTP uploads.

    I'm not sure how that's relevant to this article, but just because someone can't use FTP doesn't make them useless. Our payroll supervisor calls IT for help to do her rare FTP transfers, yet she's very good at her job. When we were looking at a new payroll system, during the demo (and her first exposure to the system), she pointed out that their tax calculations were wrong. The company argued that it was not, but 90 minutes later after a conference call with a payroll specialist and engineer at the company, they found out that they had indeed set up their test system incorrectly, but no one ever noticed.

    FTP isn't a critical job skill for many positions, and even though it's trivial for many Slashdot readers, it's not always trivial to the rest of the world. (i.e. "Why can't I use FTPS, the website says I need sFTP, isn't that the same?" "How do I use Passive mode?" "Binary mode - whats that?")