Slashdot Mirror
Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
Yes, that is exactly what my company did. They got ratted out when they let the CA expire, but the argument was "Our hardware, our rules."
The usage rules stated something along the lines of they had the right to inspect and alter packets on the company owned network, so there you go...
Never answer an anonymous letter. - Yogi Berra
I'm not sure why they would need to do that as a routine task. It's fairly broad and consumes resources. It'd be pretty funny if you mentioned it to their IT Director and he replied with "huh?"
Second question: how evil is this practice?
-kgj
I own my company, and no... I don't do this to my employees.
I have warned people who've abused the system (I had some casual employees who spent inordinate amounts of time on Facebook, and I've had to clamp down on music downloads that could have gotten me into trouble) but I generally use HR methods rather than technological methods to take action.
This is not a MITM attack -- it is a trusted proxy. The employees all trust the proxy, so everything works as it should. You don't trust the proxy, so you get a certificate validation error, so everything works as it should.
If you don't own/administer the laptop you run, assume that you are being monitored via a client side tool. Even so, my university made their own CA (had a laptop program up to last year; now they use it as part of the installer for the Network Access Control tool they put on, which uses passive TCP fingerprinting & user agent in tandem to tell if you run a PC or Mac & require software installation), and used a Fortinet Analyzer to log HTTPS/IM/email/etc. traffic.
My current customer issues their own CA and Cisco IronPort and MITMs SSL by default. Broke several sites, including my employer's website (X.509 certificate authentication was interrupted because the CA Changed and it didn't think to present the client side cert - they had to add our domain to the exceptions list for MITM). They do so for logging.
My own employer does not seem to issue CAs over existing ones, but there's so much management software on the thing I don't expect privacy when using it anyways.
Don't expect privacy on a work PC.
Furthermore, they do all within their power to block any browser other than IE 8. Even apps like Eclipse are crippled, unless you can figure out the arcane and undocumented settings to use said man-in-the-middle proxies.
The guest network is not encumbered in that way, though, and that's where I transact all non-work-related business - like this post.
Essentially, I vote with my e-feet; I don't like the security policy on the corporate net, so I don't use it for non-corporate communication. If their idiotic so-called "security" policies lead to a major data breach, it's their data, not mine, and I'll point and laugh as I leave for the next contract.
And if you really really need to, get yourself a smart phone with a fat data-plan.
that your assumption is incorrect. Some firewalls do deep inspection, looking for malware coming from websites, via email, etc. They'll do SSL MITM to allow that to work. It doesn't necessarily mean they're doing anything nefarious.
"National Security is the chief cause of national insecurity." - Celine's First Law
If they do decrypt personal traffic, would they be responsible for any medical data they intercept, thus triggering HIPAA?
I lost a client because I refused to setup something similar.
I encountered the FBI doing this in 2003, and my current company, a Fortune 100 company, also employs this technology.
We use it to decrypt and scan all HTTPS communication to prevent confidential information from leaking out of the company as well as to enforce professional conduct guidelines (no naughty words or boobies!).
I would wager this type of proxy with fake certs is fairly common at large companies in the U.S. today.
I wonder if the employer even knows? In most firms the employer rarely sets up the network themselves and hold the keys. They usually put the trust of the network in their systems administrators. I have worked at a few firms where the system admins would all treat the network like their little play toy. I would point fingers at whoever set up the proxy before pointing them at management. In my experience management is really not that savvy.
Birds of a feather flock together.
When I connect to my employer's network I get a pop-up that says: "YOU SHOULD HAVE NO EXPECTATION OF PRIVACY"
The greatest avenue for malware infection is from web traffic. Organizations that take security seriously will open the https at a proxy that analyzes the content for malware and then either blocks it or allows it. Who said anything about recording all web traffic? My proxy logs are large enough... nevermind the idea of logging content!
Comment removed based on user account deletion
It depends on the company and its policy's of course but this is not that uncommon. I would say that in most cases this is not for spying on the employees rather protecting them by letting IDS/IPS-systems be able to read the network traffic even when using SSL to find botnets, infected hosts and malware. But the solution sure makes it *possible* for the company to spy on the employees and my personal opinion is that a company using this technique should make sure the employees know that SSL is being intercepted.
It's perfectly legitimate practice on a company network to intercept encrypted traffic. Security devices used for things like intrusion protection and data leakage prevention can't work properly if all you need to circumvent them is an encrypted connection, and you really want that kind of security these days if you're using a large company network, whether you're the company management, the company employees, or the company's customers/clients.
Doing it without making anyone using the network fully aware of the possibility, however, is quite a different matter, unless employees clearly aren't allowed to use company systems for personal use at all. If you've been told occasional personal use is OK and they're covertly MITMing your online banking session on your lunch break or similar, that is highly inappropriate.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
It's more likely they are running the traffic through and IDS/IPS rather than logging everything. It's also likely that well know banking sites are excluded and just passed through. It does use quite a lot of resources to scan the traffic after all.
IDS/IPS https://en.wikipedia.org/wiki/...
This is very common to protect against exploitation of the SSL hole. Blocking your VPN protocol also protects network resources, as malware can use this technology to bypass firewall systems too.
Remember, the equipment and bandwidth of your client belongs is theirs to do with as they see fit. Obviously capturing people's banking data, and USING it, is illegal and would prosecutable to the fullest extent of law.
Don't put the actual text of your comment in the title. All the information should be in the body of the comment, and the comment should be fully understandable without the title.
We intercept HTTPS proxy here, we just inform our employees about it upfront. Our computers are exclusively meant for work, not personal use. We provide an entirely separate public WiFi network for employees, and guests.
In some cases you need to know everything that is going out the door. For example if your company is the target of industrial espionage the last thing you want is your trade secrets going out through your firewall.
I would expect a lot of companies are doing this along with other similar measures.
Agreed.
My employer (a large community college district in California) does something similar. Using Palo Alto Firewalls they are able to intercept the SSL certificate, decrypt the traffic, inspect it, and put it back together again. Unlike in the OP scenario with no indication to the end user. The rationale is that many viruses and botnets use encryption to prevent detection. While i think their hearts in a the right place I think it can potentially open an organization up to litigation if (when) something goes wrong. Imagine your organization does this MITM (attack) and someone in IT performs a deep packet inspection and your bank details, PII or whatever is viewable. Scary thought that a curious shlub in IT (i say that being a shulb in IT) may be reading your gmail conversations, seeing your banking info, and all the other stuff you'd want to keep private. Obviously though at the end of the day, any organization has the right to monitor employees using company hardware.
We deal with highly sensitive client data. All network traffic is inspected. The employees are well aware of it because it is explicitly mentioned during new hire orientation / on boarding.
This is a security department looking for people who are browsing porn, or using ssl to hide illegal activity. They aren't looking for banking info. (Although it's there) If you are doing banking on a network not your own, then it’s your bad...
The work computers are not your property; they belong to the company you work for and are for work, plain and simple. If you don't like the situation you can certainly (and should) move on to another job.
Malware is pretty easy to download over HTTPs, since an IDS can't fingerprint it. I've been looking for a firewall that can do this reliably, so I'd love to hear solutions that people have found work reasonably well.
Management has no interest in employee's personal lives. Hence we don't block facebook, youtube, etc. The goal is to keep the company asset's safe. Employees are made aware during their orientation that we have the ability to monitor their computers in every way. The message has been, if you want privacy, use your mobile device (and don't vote for Democrats and their spy programs).
All banking, finance, government, health, and some other more private info sites are NOT included and go direct (no MITM proxy)... a company who does do MITM on these sites, especially in the health area could be in line for some serious legal issues...
As someone that recently spec'd out new firewall hardware for a medium sized company I found this 'feature' available on the latest, greatest boxes. This is the newest way for companies to run Intrusion Detection (for instance looking for CCs or key words in documents leaving the network) as well as throttling Bit Torrent and other undesirable traffic hidden in encryption. I would expect this to become the norm in the next couple of years as Gartner repeatedly writes that thorough IDS is best practice on networks in this day and age. Personally I felt like a mini-NSA and declined to roll this feature out - but I have the luxury of being the decision maker at a small company. If I was spec'ing gear for an enterprise--I'm pretty sure the hunger for latest and greatest to protect IP from the unwashed masses would prevail.
I have a proxy server at the office which does content filtering and AV scanning on everything that comes in and out of the network. This is purely for security reasons to another layer of prevention for malware so nothing is stored and I don't care about the actual content of the data. I started having to do SSL MIM on our proxy server when some users figured out that if they just put HTTPS in front of whatever they wanted the proxy server wouldn't be able to catch it.
For us it's also clearly stated in our handbook that work equipment and network traffic is subject to periodic monitoring, we do have a separate network for employees that want to connect their personal phones, tablets and laptops which is not filtered but also does not have access back to the production network.
I have seen organizations implement an SSL proxy like this. I am sure most people don't check to see who the certificate was issue by. The clever thing here is that the certificates are generated on demand by the SSL proxy. The organization would whitelist (to bypass the SSL proxy) some domains(mostly financial institutions). gmail wasn't one that was whitelisted. This organization didn't do it without consent, buried in their acceptable use agreement was the SSL proxy and a method to request a domain get whitelisted.
My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees
A completely baseless assumption. I have worked with several organizations who do this "attack" to protect themselves from malicious traffic. I have not yet seen any that logged content. The legal and regulatory risks in doing this are too high to do this sort of data collection.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
If this handle you cannot the job quit.
It's retarded to carry out personal transactions over office hardware. As many have pointed out, once "in" the workplace , you aint got any rights.
I was setting up an ATT cellular extender, and I didn't look at it real thoroughly but it seemed to do the same thing, I didn't inspect a cert to see if it was the original or not but it was definitely routing all the traffic through a proxy of some sort.
Yep, mine does the same thing. Always unnerving to know that others have access to -- what should be -- encrypted data / passwords.
I have a Verizon smartphone grandfathered in with unlimited data. Is there a way I could connect it to my work computer via USB and use it for my internet connection rather than the corporate network?
My employer makes it very clear that they monitor everything. There appears to be need for a CA and proxy etc when they have every form of logging under the sun running on all employee machines. For the sake of convenience I have given up on using my phone for banking, personal email etc when it is so much easier to just use my work laptop. I guess I will change all my passwords when I leave.
was funny because overnight they pushed out ca certificates into internet explorer so the users were none the wiser. anyone who had firefox or chrome installed immediately saw what was happening and stopped using the corporate desktop to do anything on the internet. this caused tons of problems, especially working in cyber security a lot of sites like tor and squid and red hats cdn were blocked and or hindered from working properly causing lots of problems in my lab. glad im outta there!
Big company. They tell us outright that they do it.
My employer, a big bank, does the exact same thing. Interestingly as you say IE doesn't complain about it but firefox does. Also it's only some sites, google is this way but Twitter for example is just rejected if you try to access it over https.
and in a sentence beginning with "Beware of the leopard".
I don't see why the contract has to declare the version of Apple BSD on which the trusted proxy runs. Otherwise, they'd need to get everyone to sign off on "Beware of the mavericks".
It's becoming more and more common
What are you doing using THEIR network thinking you have any privacy? Regardless of VPN or not?
When on-site with a customer, I always use my own equipment (laptop, tablet, etc) connected to my own phone's wifi hotspot (or tethered) to connect back to my own business systems.
(Posting as AC because I lost my ~1997 account long ago and can't bear the shame of a new one with a high uid)
I don't know if my company does this. I wouldn't be surprised if they do; many folks have already mentioned reasons why it might be desirable (for them) that aren't malicious.
But I want to know whether it's happening so I can decide if I want to change my behavior. How would I go about checking for such things on a Windows 7 Professional laptop?
Yep--my company does the same thing and because they are attempting to do it "under the radar" it has caused a whole lot of issues and wasted time for many folks trying to "fix" problems it has caused. In several cases it was blocking automated updates for Microsoft Windows, Wordpress, and several Linux distributions because the update software wanted to see the vendor-issued cert.
I recently implemented the same thing at my previous company. This is common, useful for the firewall to track things easier; got both sides of the client/server covered. --- genious! Waiting for our ISP's to do the same thing at the ISP level... then we're doomed!
What the proxies "Usually" don't re-encrypt are Banks and other financial institutions that contain your PIAA. It's mostly so see what you're doing, breaking any laws while on company property and posting bad comments about the company via HTTPS. Basically the data is there if you get audited or investigated.
So as long as you're clean, there should never be a worry.
it's actually fairly common for any fairly new generation firewall that does Deep Packet Inspection for Intrusion Prevention, Content Filtering, etc. The firewall has to be able to view the data unencrypted to scan it for the "normal" stuff. Nothing overtly hostile in the intent there, just the way it works.
To err is human, but to really foul things up requires a computer
Just because they set it up to look like a trusted proxy, it defeats the trust of HTTPS. Are they wrong for doing this? That's debatable.
This is a very common way to solve the problem of "how do we do a virus scan on files coming in through https?" Many organizations run a proxy server for all web requests to be able to filter content, and to do anti-virus checks, but obviously it needs to view the unencrypted content to be able to do a scan. Otherwise any employee could be downloading malicious content straight through your firewall and bypass all the checks you have in place.
"I have never let my schooling interfere with my education." - Mark Twain
in many countries regulations prevent snooping of traffic to websites related to health or banking
Watch for language in your employment agreement to the effect: "Employees outside the group health insurance and financial departments MUST NOT access health or banking sites through the company network."
The message has been, if you want privacy, use your mobile device (and don't vote for Democrats and their spy programs).
Do you honestly think that a Republican government wouldn't do just as much spying?
A previous employer, a game company whose name rhymes with lizard, uses MITM proxy ... All their machines use their custom cert so that their made-up cert shows 'green' on the location box when any user uses a secure web site.
No sig. Move along - nothing to see here.
I worked for a nuclear technology company and they set up a box which did this on the guest network. I threw up all sorts of warnings why this was a bad idea but our network security guy who cared nothing about the businesses and government entities we came into contact with, insisted that this is the way it should be done. Eventually some form of it disappeared while some other aspects remained. But seriously, how do you think the various large utilities and the NRC would feel about their secure traffic being sniffed while their representatives and executives are in the office?
Kinda breaks some trust issues doesn't it?
It's not a violation if the company isn't bound by HIPAA regulations. I this case, for a generic corp, it's just a terminal and internet access.
Is it just my observation, or are there way too many stupid people in the world?
Seriously, it's not an "attack"
Is it just my observation, or are there way too many stupid people in the world?
I also expect them to be very aware of who you call from the phone at your desk.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'd say that any organization over 100 employees it's safe to assume they do perform MITM. If you can, get a copy of PuTTY installed and run an SSH tunnel to a remote server on a random port, or even something like 8080 to appear like you're just accessing your home router's web gui, then proxy all your web traffic through that. Periodically check to see if the certs on your local machine have changed.
The author is an idiot and doesn't get what's going on. By default, Cyberoam products do this. They issue their SSL cert to everyone at the company and then intercept all 3rd party ones to check them. They claim their list of revokes certificates is better than your browser's or whatever. I turned the feature off because it broke Activesync and like 8 other things.
This is very common in large, enterprise-class businesses with significant numbers of PC's dedicated to end-users, as this methodology is used in various ways to provide security (to the enterprise, while simultaneously robbing the end-user of theirs in favor of the business'). The services provided by companies likeZScaler would be perhaps the most common use of these types of MITM attacks.
"Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage
This is fairly common in healthcare - and I suspect in other regulated industries - where the possibility of employees leaking confidential information is more than just a technical irritant.
Fines and consequences for even inadvertent leakage can be devastating - individually and to the business.
Reference: http://www.hhs.gov/ocr/privacy/
Previous company I worked for did this.
I really annoyed me as they did not notify anybody that the new proxy was doing a MITM.
My employer makes devices that do this MITM interception. My job is to help companies (150-1500 users) implement it in their network. Most of my customers want the benefits of it, many of them don't have the resources to redesign a small network to implement it. (It's hard in a mixed environment with unmanaged IOS/Android devices if you suddenly start globally intercepting their HTTPS traffic.)
They may not be intercepting passwords, but as far as prevalence goes, it's quite common. The MITM is the most robust way of filtering/reporting/scanning traffic. IP blocking isn't effective anymore (this isn't 1997) and SNI inspection is less intrusive, but has some idiosyncrasies.
I see a whole range of reasons, from "we don't care what people do, we just don't want anyone surfing for porn or getting viruses" to absolute draconian "give me a weekly report of everyone who is looking at job search sites or using profanity in email".
As a user, you have no idea what the company is really doing. Make sure you read your employer's IT Acceptable Use Policy, and hold them to it. As a traveler, treat every network as hostile; whether it's a company internal network, guest wireless, hotel, coffee shop, or library.
Also, try masquerading your VPN as DNS traffic if they're intercepting HTTPS. :-)
My employer does this, using Bluecoat, and doesn't tell anybody about it. Even my colleagues who are programmers aren't necessarily aware of it.
What's bizarre is the Bluecoat proxy will claim in its boilerplate that it's doing it for network security reasons, but.... they issue everyone in the company a laptop and actively encourage employees to take their laptops home at night. None of the new-hires even have a desktop at all, and veterans only get to keep an old desktop if they can prove the OS licensing is independent of the licensing the IT group administers.
So... network security? Prevention of funneling company secrets out through the firewall? Ha.
Shesh, Really? Man in the Middle "attack" ? Give me a break.
If you are using an employer's resources to surf the internet just figure that *everything* you do is monitored. If you don't want to be monitored, GO HOME. If you don't trust your employer, GO HOME to do anything you don't want them to see. GO HOME or use your own internet access.
Don't try to make this into some "privacy" issue. It's not.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Yes, it's actually extremely common. Google "SSL Interception", as that's the name of the feature that is advertised on hardware/software that performs this function.
This is why I never browse private web sites on work hardware. You simply do not know how they've mangled the machine, what all it is revealing or to whom. (That's right, most large companies actually outsource security, so all of your private account numbers and passwords are going to third parties that you don't know and never will, third parties who have been indemnified and are completely immune to any kind of action or recourse from you if they screw up.) If I want to browse the web, I use a VPN connection to my house and my own personal laptop. I don't use my work smartphone for Facebook or personal email, I have my own personal phone using my own provider. When I'm working from home and VPNed into the office, I don't use my personal workstation for any work stuff, except as a VirtualBox host for a work VM, which my company has altered through group policy and direct installation of software to be configured how they want.
It's a shame that in today's work environment we have to worry about such things, but if you think the NSA is bad about spying on you, it's small potatoes compared to what your own company does. Never trust your company to just be innocently looking for malware or other intrusion detection means. Never install any software or services on your personal equipment from your company, no matter how much more convenient it will make your life. (This includes, for example, accepting elevated permissions to connect to your work email on your personal phone.) Always assume that they're watching you, looking for anything that can be used to fire you, cancel your severance, or extort whatever they want from you, whether you're just a paean on the low rung of the corporate ladder or the CEO.
I've worked very closely with both the network and security people in a large multinational corporation, and I've seen firsthand the kinds of things they do. It ain't pretty. I've seen people leave because they have moral qualms with the kind of monitoring that goes on, and people screwed because something innocent that everyone does was turned into a major issue. I cannot emphasize this enough; never, ever, ever mix your personal life with your work life, especially when it comes to communications and technology.
This is extremely common for any number of reasons. And yes, the information does get logged. You are on the companies time when you are at work and they have the right to monitor what you are doing. You want your banking passwords not to get logged? Don't do online banking from work.
Here is an example of the software that my company uses, and it literally logs everything:
http://www.spectorsoft.com/products/SpectorPro_Windows/
SSL Bluelight extension for FF is designed specifically for users in these organizations to keep aware of the sites where organizational PKI based SSL inspection is occurring. Many organizations don't MitM all SSL traffic, just some categories, so it's often useful to have conspicuous notification when big brother is watching.
https://addons.mozilla.org/en-US/firefox/addon/ssl-bluelight/
When I worked for a "Large Corporation" I used SSH to my home computer and did my "surfing" over that connection, now I wonder how secure that was =)
"If any question why we died, Tell them because our fathers lied."
Most enterprises use products that have decent databases with which to categorize the browsable internet, and explicitly choose to not intercept financial and banking sites.
Pretty much every large enterprise forces everyone to sign something acknowledging that anything they do over the company network may be monitored and recorded. Assuming otherwise is really silly, regardless of the error messages, or lack thereof, displayed by your employer-supplied web browser.
So we know it's happening - it's not really "hidden" - so I'ts up to me if I want to use Facebook or GMail or whatever - knowing the connection could be snooped. If I don't like it - I can simply not use those services from work.
It is very common for a company to install a proxy server that decrypts traffic to the outside and inspects with a data loss prevention type tool. Proxy servers act as MITM attacks to be effective at decrypting SSL traffic so it can be inspected.
It is not as common that you would be allowed to connect to this employers network. Network access control should be in place to prevent vendors or employees from connecting potentially malware laden computers to the internal network. At the least, if you gained access to their network, the same proxy that performs the MITM attack should also be prompting for authentication to access the Internet.
SillyKing
In most, if not all, EU states this would be highly illegal. Not even a standard form written consent would allow such usually.
https://kc.mcafee.com/corporate/index?page=content&id=KB64350&cat=CLEANBOOT&actp=LIST
My last employer was running McAfee proxies (Linux with a proprietary app), and to my surprise they were *not* using this option.
It was at a McAfee class that the instructor pointed out this is a textbook MITM attack.
As the operator of the webserver, I certainly don't consent, even if the employee had no choice..
Is there any way to detect this server-side?
Long time security worker here...here's my two cents. To answer the original question: How common is it? I don't know the exact stats, but I'd say its common enough that you should just assume the company you work for is doing something like this unless they explicitly say they aren't (which I've read a few posters to this thread have said as much). From my perspective, theres a major reason why a company would choose to implement such a technical control: to prevent loss of intellectual property or sensitive data. Because of encryption in transit techniques like SSL, it makes it very difficult to inspect such traffic for the presence of things the company is concerned about - things like source code, financial data, credit card info, health care info, etc. What's to stop an employee from emailing out the crown jewels thru their Gmail account, assuming there are permissive web filtering policies in place? One answer is to inspect SSL traffic - and the way you do that is MITM. And not only are companies trying to stop disgruntled employees, they're also trying to stop malware - the trend now is for malware authors these days is to no longer exfiltrate data using clear text protocols like http, but to encrypt it via https. Keep in mind that a traditional defense in the distant past (10 or so years ago) for security folks has been wire tapping, and connecting the resultant data feed to some kind of inspection engine like an intrusion detection system. Increased use of encryption, both driven by right-thinking consumers and malware authors, defeats such wiretap efforts, so its no longer effective to simply watch the data fly across the network; now security admins (or intrusive nation states) have to find creative ways to decipher it to see what the data looks like. MITM is fairly cheap to do this. I don't think most companies want to snoop your encrypted traffic outside of the above stated reason. But some companies can/will abuse it and read your emails to see who you're sleeping with, if you have any side businesses going on, if you're looking for another job and sending out your resume, etc.
I work at a f500 in the security department. I can say for sure we don't, I would have raised a fit! That said... we're not in software.
I will say this though, beware of corporate PKI CA's... they can be loaded into your certificate stores via corporate images... for the suckers that run it...
Corp CA's can be just as dangerous if they specify a wildcard(again, we don't but... others might).
It's not an attack.
They almost certainly got their employees to sign or otherwise agree to an IT policy that allows this.
How common? Very common. Anywhere that deploys a decent web filter, most likely. Schools, colleges, universities, I've seen this in an awful lot of them.
Commercial places do it too. There's no difference. And if you're on work time, using work resources, including paid-for work connections then - guess what - they have a responsibility to monitor what you're doing with it. If they don't it could lead to all sorts of problems with their ISP, for example - you can't just say "Sorry, didn't know our employees were hacking other networks... but you can't cut us off for that", it does not wash.
If you don't want your employer to find out what you're doing...
WHY NOT... you're on work time, on work computers, on work resources - what the hell are you doing that they shouldn't know about?
Outside of that, use a personal device. Personal devices banned? Tough. Go outside and use it out there.
Your employer owns your computer network. They employ a guy whose responsibility it is to secure it, protect it, and ensure they can follow up on any reports of malicious or illegal behaviour - everything from internal abuse of database privileges to sending their customer database to a rival, to someone accessing child porn or "hacking" a rival company.
That person will have told you what they are doing and why. You just might not have read it first.
Don't like it? Don't browse Facebook on company time.
It's like saying "God, when my friends come into the shop, the guy who owns the shop could listen to us and time how long we're talking". Same thing, different technology.
There is privacy. There is personal privacy. And then there is the expectation of an employer to provide you with free, untraceable facilities that you could misuse to slack off or cause them damage. One of these does not fit inside a corporate workspace. Guess which one.
If they were spying in the toilets, fair enough.
If they were looking up your personal life from work, fair enough.
But they are monitoring what YOU are doing, in terms of non-work-related activities, while you're on work time and in work premises, on a work-provided resources.
And, no, unless it specifically says they won't listen at lunch time, you're still on work time. Because that network still needs protecting and auditing even at lunch time because you STILL have access to work data.
Don't like it, take your phone out with you for lunch and do your personal browsing there.
The arguments: we dont scan bank connections, we dont log your username/pwd because we have these rules in place is generally the argument.
My argument is:
Does the legal/HR department know you can look at all their documents/passwords/records, but at the moment choose not too?
Did you inform all employees we can now see your usernames/passwords/creds for all connections but choose today not to log them.
Do you truely trust your admins not to mine this information? Seriously?
Who has your contract to install and maintenance it?
Who watches the watchers? policy?
What if the guys that broke into a large retail chain last year understood what the bluecoat server contained or could log?
in the words from Dwarf Fortress, "Fun!Fun!Fun!"
any company that uses Niksun appliances 'CAN' do this. A list of companies that use this hard ware includes UPS, DoD, and Verizon.
My employer uses a proxy solution to perform content filtering. It's used to help human resources police personnel (URL filtering) and it's also used for malware inspection and download prevention. User IDs, password, etc. is not captured. This is all agreed upon by each employee as a part of the Internet usage policy they agree to when becoming employed. Each employee is reminded annually of the Internet use requirements. There is a clear understanding that all communications on our network are monitored and there should be no expectation of privacy when using corporate systems or networks. There are some sites (banking, insurance, HR related functions) that are not inspected as a part of the proxy solution. This is in order to allow the user to see the "green bar" when accessing some of their personal data.
If you're not decrypting SSL and have a DLP solution, your DLP solution is worthless.
It's entirely within the rights of a company to watch all the data that's leaving their network.
You should assume that you are being monitored. There is more spying via business than by governments and military. The illusion of privacy is exactly that. I found out when they tracked my post to slashdot during my lunch break.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack
Wondering how a lot of these implementations handle if you go to a site with an invalid cert. Do they attempt to verify it or just replace it with a valid cert and then expose you to two layers of eavesdropping?
If the employer is logging everything you do on the computer that they own I would disagree with you. However, if the argument is simply related to the a proxy server doing deep packet inspection and not logging anything I would agree with you. It really boils down to what is getting logged. The Internet Use policy is clearly defined, so as another poster above mentioned if you are doing your banking on a device that you do not own you are already way into the risk category.
That is a very common occurrence and the reason why many people where I work conduct their personal business on a mobile device via the cellular network. And yes I am posting this from my iPhone over cellular
Yup. My employer does this. I think they decrypt and log everything for analysis if there's ever a data loss. They got burned pretty badly a few years ago, so the paranoia isn't completely unreasonable.
It's not difficult to work around. You can set up a VPN from home. The normal VPN configuration on the client blocks non-VPN networking, but you can get around that. Once you do that, it's easy to set up a ssh tunnel from a work desktop over the VPN to home and out. Then set up routing to go over the VPN connection for anything you want to keep private, and the company never sees it.
[posting anonymous for obvious reasons]
They've been doing it with McAfee Web Gateway at my office for years. Those using Firefox notice because of the separate certificate store not having the company CA, but IE and Chrome users are none the wiser.
. . . all private equity firms (private banks/leveraged buyout firms), hedge funds and most financial services companies. I'm surprised this is news to anyone?
I thought for sure that mine would, but after checking the GRC Fingerprint website and comparing the results to what I get on my phone and on my home internet connection, I don't think my SSL/TLS is being MITM'ed at work. There is indeed a mandatory proxy in the way between me and the public internet, but it lets encrypted traffic through as-is after filtering (accepting/denying) based on the DNS of the remote box.
In the real world, BYOD isn't always that simple. The moment an employer encourages their employee to do something on their own device rather than provide dedicated company equipment, there are issues of who has what access, who is responsible for what, etc. There are entire businesses making tools and consulting in this field right now, because that is how big a minefield it is becoming.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
We had a source code leakage through email, so first they did for google/yahoo/hotmail. Then they expanded it to any social network site. Now it's on every https site.
The latter "every" site sucks. Every site gets cert errors, and parts of the site work or fail oddly.
Buy your own computer/tablet/phablet, and if you need to do private stuff while at work, use your own 3G/4G or whatever. It is that simple. Don't use the company mail for private mail. Get your own cellphone for your private stuff. It is that simple. You can either have full control of your privacy, or you can save a few bucks by using your company's stuff for free. You cannot have it both ways. If you need more network bandwidth at work than you can transfer over a 3G network, in order to download or watch stuff which you don't want your employer to know about, then well ...
You, sir (or ma'am), are doing it right. This is precisely the thing that gets me so mad at companies today, that they view these issues as an IT problem, not an HR problem. So they spend hundreds of thousands of dollars (sometimes millions) in hardware, software, salaries, support contracts, and lost time when shit breaks, just so that management 1) won't have to do their jobs--you know, managing people, and 2) will have plausible deniability when someone does do something stupid. ("It's not my fault for not making sure my workers were working on what they were supposed to and not violating company policy; IT should have blocked that site!!!")
It's refreshing to see someone who actually gets where company policies should actually be enforced and where responsibility really ought to lie when there are gaps. Thank you!
Even if you could argue you have the Employee's compelled consent for this, you most definitely do not have the website's consent. If the website in question is based in a two-party consent wiretap state, I'm wondering if employers might in fact be committing a felony by tapping the website's communications back to the client?
As others have stated, I don’t think using a reverse proxy counts as a MITM attack, so I read your question as asking if it’s common for companies to snoop on the employees’ traffic to/from outside the company’s network.
To that, I answer yes. Usually it’s a company policy executed by the IT department to ensure employees are not sending company-confidential info out and to make sure they're not doing stuff like surfing porn sites. I’m fine with that.
But at one of my employers, a small company of ~60 employees, my colleagues snooped on my traffic because management and many of my colleagues wanted to know what was going on in my personal life. They would read my personal emails when I logged into my Yahoo! account (which didn’t offer HTTPS at the time) and then tell other colleagues in the company. Not cool. So I stopped reading my e-mail at work. They weren’t happy about that. That same employer had the line “All employees must divulge what goes on in their personal lives.” in the company’s Core Values document (which I only learned about 6 months into the job), but was immediately removed after I objected to it. They have since denied it ever existed.
One of which was a case where credit card information ended up being in the proxy logs of the company that was doing this :-(
I think the increased prevalence of HTTPS in the last 2 years has forced more companies to do it.
I work for a Fortune 500 and they quietly implemented this around the end of 2013. It breaks various installers that phone home to check licenses, it breaks automatic updates like Firefox, and secure file transfer sites don't work. But even the software engineers didn't notice it for quite a while since corporate IT pushed down certificates to everyone's machine. There are a few sites that they don't intercept, presumably because it would get them in trouble or interfere on too large of a scale. Ex: Some banks are not intercepted, neither is Microsoft.com since I bet that would break Windows Update.
This is scissored from http://security.stackexchange.com/questions/40892/what-are-the-risks-associated-with-ssl-interception-in-an-organization
The risks are about the same as those implied by giving to a designated security guard a key which opens all doors in a building. The guard becomes a valuable target; attackers will want to rob the guard or to bribe the guard, in order to obtain the golden key. Being all-encompassing, the key bypasses all procedures and security layers; you cannot isolate parts of the building from each other, if the potential attacker has a key which opens all doors.
Knowledge of the mere existence of an open-everything key in the hands of some security guard will make the users quite distrustful. Human users tend to value their privacy, and don't like the idea that someone will be routinely opening their desks and lockers and inspect the contents.
Beyond the key analogy, using SSL interception (with an organization-specific CA used to build MitM attacks on the fly) has the following specific consequences:
- On the desktop systems, the interception requires installation of the special CA certificate in the "trusted store". This installation has to be done again whenever a new OS is installed; users may remove it themselves; some Web browsers (in particular Firefox) will disregard the OS trust store and use their own. Thus, there is ample room for breakage here. This can be somewhat fixed by locking down the OS configuration and software installation, but the more you lock things down, the less happy the users become.
- The OS trust store may be used for other uses than mere SSL; it can be used to verify signatures on software updates and drivers, for instance. An attacker who succeeds in stealing the private key for the organization CA may thus gain extensive power on the whole network, not just the ability to intercept SSL connections (which is already a lot).
- The private key for the organization CA is thus sensitive, but cannot be protected with high isolation layers, because that special CA, by construction, must be able to issue fake SSL server certificates on the fly. So it must be online, on a server which is "close to the Internet".
- Such MitM interception breaks certificate-based client authentication. https:// Web sites very rarely use client certificates, but I have seen it done by some banks to authenticate their customers (at least as part of experimental deployments).
- In many jurisdictions, automatic inspection of user's communications by the employer is lawful, but subject to some conditions, usually an explicit notification right there in the employee's contract. There can be legal risks related to such interception (similarly to reading letters, tapping on the phone and installing video cameras in offices). Some detour through the law department is strongly advised.
So we can say that while organizational SSL interception allows for inspection of SSL-downloaded contents (thus antivirus and other filters can be applied on the proxy), it also opens new vulnerabilities. Thus, the overall security situation might be worsened by the installation of such system.
It is fairly common. However, for the company I work for, it is only for logging which sites the employees visit, rather than collecting the contents of the traffic. In other words, we can detect that you visit, say, Hotmail to look at your personal account, but we do not collect the contents of your emails. While our company policy does not explicitly say we monitor Internet traffic, we do have an entry that says something along the lines of "company resources are to be used for company only."
If a user starts visiting job sites during company time, we'll know and look out for any nefarious activity for that user.
If a "user" starts visiting several malicious websites, we'll know and act immediately to contain the infection. I don't know how many times this has helped me detect 0-day malicious programs within the organization.
This is very common in the military and in defense contractors, and it happens elsewhere too. There is a reason for it. Many of these organizations are worried about malicious stuff going in and/or exfiltration of non-public data going out. Employer MITM makes it easy to examine every packet for these kinds of things (to counter them). In the US, at least, it's generally accepted that employer equipment is owned by the employer, and thus they expressly have the authority to examine what goes over their own network... and as a condition of employment or computer use you probably signed something agreeing to this. I'm not a fan of this approach, but it certainly happens.
Open source software that implements crypto protocols (e.g., SSL or SSH) will (correctly!) report that there's a MITM attack. So if you want to actually *use* the software in such settings, someone has to configure the software to trust the MITM. Some admins will do this automatically. If not, you may need to do it yourself. E.G., on Firefox, install the organization's certificate.
You configure Linux systems to work in these environments, but since the certs are often files in Windows aka DOS aka CP/M format, you need to convert the files as well as put the into somewhere useful. Here's one way to deal with it.
On Fedora, given a bunch of .crt files, you can do this:
dos2unix *.crt ; cat *.crt >> /etc/pki/tls/certs/ca-bundle.crt
On Ubuntu, you can do this given a bunch of .cer files:
dos2unix *.cer ; rename 's/.cer$/.crt/' *.cer ; ca=/usr/share/ca-certificates ; mkdir -p $ca/MYORG ; cp *.crt $ca/MYORG ; cd $ca ; ls MYORG/* >> /etc/ca-certificates.conf ;
update-ca-certificates
You could avoid appending to the file if you want to, but I'll leave that as an exercise for the reader.
- David A. Wheeler (see my Secure Programming HOWTO)
And even if it isn't, if you're using their hardware, they could easily have keyloggers, screen grabs, etc. I always heard rumors at MS that they had a division just responsible for looking at random screen captures from employee machines to make sure nothing inappropriate was happening.
Anyway, this is why I got in the habit of using my own hardware. Most workplaces have at least a guest network you can access, and if it's your hardware they won't have access to alter the CA so they won't be able to MITM you. If you must look at personal stuff at work, bring a netbook or tablet or something, and use that. Otherwise, be prepared to accept that they may see way more private stuff than you expect.
I've seen this question posted mulitple times... I'm guessing the editors jump at the "outrage" in the post...
Just about every web filter sold will do this (Cisco Ironport, Blue Coat, M86, Websense. yada yada). The intent is make sure that you're not downloading malware via the ssl connection. Just because a site has SSL doesn't mean its not otherwise compromised.
I support one of these solutions and we don't give a crap about what's in the stream beyond "is it malware"... otherwise, surf away... (well, and porn... the ownership frowns on porn, so we block that outright...)
As a self-employed person, I totally spy on everything I do. In real time. I feel like such a voyeur / exhibitionist, because I DO know that I'm spying on myself, but it doesn't really alter my behavior. Plus, if I complain, I'll just explain that I own the hardware, so hard cheese.
Probably. And I honestly don't give a shit if they do. The only thing I browse at work are work related sites. The only thing I care about is when the stupid firewall blocks me from getting to a site which I'm only trying to access for work reasons. Still, that does at least let me send sarcastic e-mails to IT.
Yeah, I had a sig once; I got bored of it.
My company does it, and it isn't for malicious reasons of spying on their users. It is done so that IDS and IPS can actually detect malware downloads and C2 communication over SSL. I suspect that's the primary reason most other companies do it as well. If they don't the company can't adequately detect or remediation most modern malware.
Detection of exploit kits via HTTP monitoring is one of our primary indicators of compromise, so this information is vital.
To add some information to the conversation... As a consultant that implements and integrates https inspection for many different companies, this is a common practice for the benefit of inspecting traffic for security threats (malware, hacks, bot channels, etc), data leakage, legal risks, and productive loss reasons. However, corporations are not interesting in your banking nor health information. Typically, those site categories are typically NOT even inspected by configuration of the equipment. Financials and health bypassing of inspection is the number one most common rule to implement during an inspection project. Businesses are interested in protecting their interests, not your financial or health info.
other than work is wasting company time. do personal tasks at home. they can do whatever they want if it's their hardware, software, and data connections. you sign a document in the beginning that general states this. as a vendor you do this as well.
And it's usually (in the UK at least) covered in the Computer Use Policy, and other associated policy documents that employees would be required to read, agree to and sign.
I have an ideea: when an invalid certificate is detected, the communication should continue, but a second negotiation should be started imediately. There would be two layers of encryption, only one breached. It would require support in both the server and the client, for example Chrome when loading Gmail. Of course, this requires the browser to controll it's own root certificate database and that the proxy not enforce strict HTTP content in the decrypted stream.
https://techlib.barracuda.com/... About 2-3 dozen customers a week are setting this up.
Really?
Someone lends you a computer for a certain purpose, and states, in writing, that they are watching what you do with their computer.
How can that be illegal?
This is quite common as it's the only way to tell what traffic is passing through in any detail. This is done for content control reasons in work environments ie making sure staff only access required sites or not access inappropriate sites (eg porn) over HTTPS.
https://www.grc.com/fingerprin... posts fingerprints for some common sites so you can compare them with what you get in your Web browser.
The browser is indicating to the user that end-to-end security is in effect, when its actually been subverted. That, more than anything, puts it in the MITM attack category.
A proxy is am MITM because it terminates your request for a website, makes its own request to that website then once it receives the content from said website, delivers it to you.An SSL proxy does the same thing for HTTPS based content. It should not be a surprise that corporate devices trust the certificates signed by corporate proxy.
There are many reasons for implementing an SSL Proxy, the primary reason is security. Web-based malware has transitioned almost exclusively to delivery over HTTPS. If the corporation is not inspecting HTTPS traffic for malicious code, then they are ignoring a significant portion of their web traffic, upwards of 40% and growing. This means no URL Filtering, Malware Scanning, Intrusion Prevention or other security measures are applied to almost half of all web traffic.
Still sticking with the security angle is outbound security, whether it is Data Loss Prevention, Botnet Command and Control or other exiting traffic that the company wishes to prevent, you are still only seeing about half of it without SSL inspection.
Typically, SSL proxies have the ability to control what sessions are decrypted and which ones aren't. This is usually tied to a URL Filtering package that identifies the category of website being requested based on URL or URI. Then policy is designed so that requests for banking and health care sites don't get decrypted.
Many security conscious companies do use SSL proxies and unfortunately, many do not. The ones that don't occasionally make the headlines, like Target and Adobe did recently. Sadly for them it wasn't for record breaking profits, it was because of mandatory breach disclosure laws and a security perimeter that is only about 50% effective. While this was bad for Target, it was also bad for the tens of thousands of Target customers who had their private information leaked. And Adobe lost 40Gigs of proprietary source code as well as customer data.
So, if you work for a company that does use SSL proxies, you can be pretty sure the purpose and intent is not to spy on YOU the employee, but to make sure that the company is doing everything it can to protect itself, its customers and even YOU its employee from the criminals who seek to steal information like credit card data, social security numbers, intellectual property and other private data.
the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site
Is this the reason why, when I use Firefox at work, it issues complaints like these?
You have asked Firefox to connect securely to www.yahoo.com, but we can't confirm that your connection is secure.
You have asked Firefox to connect securely to www.google.com, but we can't confirm that your connection is secure.
Worse than any company rule, my wife intervened: I go locked to work with a "CB". Not sure if she wanted to have as a side effect that all those great looking female students were no-go from there on.
Geez, do your private stuff on your own phone. Why waste your time with the cripple company systems?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
You are on a company network - they are responsible for what gets done on their systems and internet connections - so whats the surprise?
Many of the hotels I've stayed in iver the years, both major chains and smaller boutique hotels, and in several countries, have attested to MiM my secure mail server or http a sessions. Similarly I caught the Qantas lounge in Sydney trying this a few years ago. I never use hotel internets any more or airline lounges' wifi - it's just too creepy.
I used to have a better sig than this, but I got tired of it
Intrusion protection and web filtering aren't MITM attacks. Neither is snarfing up all the network packets using a proxy or some other method. From my understanding a true MITM is where I intercept your traffic and steal either your client or a servers credentials.
But the sad thing is most employees don't pay attention to the IT code of conduct and truly understand that their email, banking, Facebook (etc) passwords, credit card details, and HIPPA data (because of the out sourced payroll and health insurance sign up forms) are now being captured and possibly logged internally by people not being bound to secure or keep private that data.
My use case is our floor workers all have very restricted access to the internet at their non-user specific workstations. Since we use Google apps for our mail here I needed a way to allow access to our corporate gmail, but not their personal ones. Since all accounts are on the google.com domain I can't just block via fqdn, I need something to intercept which account they are accessing and restrict based on that.
Heck, google even documents how to do it right here https://support.google.com/a/a...
Pluralitas non est ponenda sine neccesitate
You will see this behavior pretty frequently if you SSL offload with an f5 or if you filter ssl websites with bluecoats. Im sure there are a slew of other legit apps that also do this. Eg. we blocked youtube, but everyone knew to bypass this you could goto https://youtube.com/ so we started intercepting ssl certificates to block the traffic. In our case; we only intercepted SOME ssl traffic depending on destination to avoid the issue you're discussing but presumably if we just intercepted all and filtered after the fact, you would have seen the same issue.
even to read and post rants on slashdot?!
actually, I check all my various accounts from my work machine. I assume my employer is capturing info but is not mining it.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
The client computer must be compromised for this to work. This is not MITM. The client is participating in the "attack".
Using an untrusted computer is always dangerous: keyloggers, scrapers, custom DNS. Laptops are security devices.
Verbum caro factum est
Don't do anything on a work machine you wouldn't do if it was being shown on a 50" TV above your head. They actually have a white list of sites that they 'trust' and do not do MITM - banks mainly, but a search on Google defaulting to HTTPS is not secure.
Building a transparent linux-based proxy/firewall/gateway with sslstrip/ssldump is sexy.
the only permanence in existence, is the impermanence of existence.
2000+ employee firm in Boston and London
mandatory install of iphone profile to enable the MITM to work "transparently"
Well in all the countries I have lived and worked so far (not the US) this would clearly be illegal. How is it not illegal in your country? Did you inform the police?
This is exactly why I've removed/revoked the trust of the corporate issued certificates. I get warnings when using internal sites, but I also don't get intercepted.
Although I'm given to understand that verisign et al. offer turnkey solutions for this where you can plug in any keypair of your own to their device and it will automatically perform these attacks.
All that is required to use it is a trusted certificate & key, which, by the way, certificate authorities are in a position to sell.
So it may be that my revocation of the corporate certs don't actually secure me. Assuming IE/Windows issues with policy-installed or auto-downloaded trusted certs can be avoided.. (I'm running Firefox)
Moxie's solution of distributed trust and certificate pinning would still provide some protection.
From looking at certification chains, I can see that my employer (a state government) MITMs Google (even though GMail is blocked), and probably other sites that I haven't noticed, but they do not MITM banks, at least not the two I visit occasionally from work. I haven't done much investigation beyond that.
Riverbed Steelheads can do this to optimize SSL traffic for WAN optimization. While this could be considered a good use of MITM for a company, and I wouldn't exactly fault a company for wanting to optimize their SSL traffic on their own WAN. It's still kind of scary prospect if a company's riverbed setup were ever to be "pwnd" by a "hax0r," particularly if it was set up wrong.
So, if this is a work machine and you're using Windows, I'm going to guess you're on IE. If not, you can find similar steps for other browsers, though.
1) Connect to an HTTPS site.
2) Find the "Lock" icon in the address bar (it should be on the right side).
3) Click on it; the exact result of doing this will vary by version but you should get some info about the security of the connection.
4) Click on "View Certificates" (on IE10+ this is right in the little box that appears when you click the icon; I don't have an older version available to check).
5) Check each certificate in the chain of trust. Under the General tab, look at Issued By. Also look up the "chain of trust" to check the signing certificates in the Certification Path tab.
They should be signed by known certificate authorities (if you aren't sure whether a given company is a known CA, look it up online). If the cert is instead signed by your employer or something like that, you're pwned.
There's no place I could be, since I've found Serenity...
First, we have the empirical evidence: The Democrat Obama administration is doing WAY more than the Republican Bush43 admin did... that's the FACT on the table. Now, admittedly, this may be wholly, or in part, a purely temporal argument; i.e. it's possible the this is just the more-recent guy building on the previous guy. It is, however, empirically WRONG to assert that Democrats care more about your personal privacy than Republicans.
Second, it depends on the TYPE of Republican. Establishment Republicans (includes so-called RINOs) like the Bush family and the Romney family have always campaigned as conservatices but then operated in office like big-government Democrats (bigger government, more government power, more government control, etc and big government entanglements with big business). Conservatives, Libertarian-leaners, and TEA-Party Republicans, on the other hand are actually in favor of smaller government and less snooping (which is why they freak-out establishment Republicans and Democrats alike). In all likelihood, if you elect a Romney or a Bush you get the same big intrusive government as if you elect an Obama or a Clinton. If you elect a Paul or a Cruz.... not so much. The one CERTAINTY is that ANY Democrat gets you bigger government, more spying on citizens, more rules and laws telling citizens what to do, what to think, etc.
In politics you can almost never get everything you want... you have to prioritize. If you decide you just cannot STAND some position of a Paul or a Cruz, then you are probably going to vote for an Obama or a Clinton. That's fine.... it means you have decided that one position was more important to you than all the other stuff.... but then shut up about the rest; you made your bed now sleep in it. If you decided that one thing was more important than being spied-on and groped, etc then buck-up and smile while you get spied-on and groped - that's the option you chose.
The Man In The Middle Defense.
Organizations following a risk management strategy often employ a myriad of controls to mitigate risks. One risk other commenters have pointed out is the outbound data flow inside encrypted tunnels, in this case, a SSL tunnel. Malicious persons could use a SSL tunnel to defeat Intrusion Detection/Prevention Systems, and to move data in and out of a network (bring trojans in, and exfiltrate data out). If your organization is paying attention, they should do this to manage the risk, or accept the risk, and permit SSL.
An Information Security professional can help people understand the risk, so they can make an informed decision, eliminate, mitigate, or accept the risks.
In the United States, people do have an expectation of privacy unless that expectation is removed, often through an employee handbook, an acceptable use agreement, and/or a login banner. IANAL, but my understanding is that monitoring of employees by the corporation is legal providing they also remove the expectation of privacy. Check with your lawyer if you have doubts.
Clearly you perceive this as malicious in intent, but I assure you from sitting on the other side of the table, that this control can help detect malicious traffic. True, it can be abused, as can any system, so you should be asking management who's watching the watchers. That's fair. But I would not use company resources for personal use, such as banking, facebook, day-trading, etc. I would instead expect a corporate to monitor Internet usage, and plan accordingly.
Yep.
We do exclude URL catgeories shopping, health-and-medical, government, and financial-services.
We also do inbound decryption where the firewall does MITM for in bound http, outlook web, etc. inspects it, reencrypts it and passes to the appropriate DMZ server. Same with DMZ to internal.
If you work for Comcast, you're getting MITM inspected routinely.
For company stuff I use browser A (where the certs are accepted). For everything else, I tether to my phone and use an outside link.
I would like to ask a stupid question. If my employer is doing this, and I'm using Chrome to look at, say, https://mail.google.com/, when I click on the little green lock next to the URL to view the Certificate Information, and my company's name is NOT present (the cert path is GeoTrust Global / Google Internet Authority / mail.google.com) can trust that to mean my company is not intercepting that traffic? Or can my company make it appear this way and still be intercepting my traffic? I suspect there are a number of people who would like to know the answer to this. I'm hoping it's not as stupid a question as it sounds.
--PK (Tech Junkie / Junk Techie)
What on earth is a "CB"?
Looks like to be very common. My current employer does it, and the one before it did it also. It's very annoying.
Sure, any place with a high enough number of assets, yes, it should be expected, though i would be extremely untrusting of people and your bank accounts, since you don't exactly vet these operators. And occasionally they will also, pop up a fake version of the site and ask you to reinput your password. Classic bad guy technique.
Though i'm uncertain which portion anyone should get affronted at: the fact that you expected privacy on a non owner network, or the meta - the fact that the netops think you expected privacy but you don't, or the more mundane - the inability of netops to distinguish extension services on browsers.
Information is like technology. It's not how much you have, it's how you use it that is the differentiating factor.
Internal company policies still cannot violate the sanctity of the client-attourney confidentiality, as can be observed in the Supreme Court ruling of the 2010 Stengart vs Loving Care Agency case. http://en.m.wikipedia.org/wiki/Stengart_v._Loving_Care_Agency
This all raises an interesting question: Imagine that I need to purchase something for work. If I don't have a company credit card, and if it is allowed by company policy, I might purchase such an item using a personal credit card using my work computer and ask for reimbursement later. Now imagine that there is a data breach in the IT department with the result that the proxy server log falls into the wrong hands and the black hats have my credit card information. Imagine they use that information to make a much larger purchase. Would my company be liable to the credit card company because their interception of the communication resulted in a tangible loss to the credit card company? Or should they be made to eat the loss. I think Visa would have a very good case against such a company since their negligence in protected the intercepted data exposed Visa to a loss it had seemingly defended against by using https.
Shall we focus on how one can detect this situation ?
Case 1 : One have access to the network ... Start your own browser, see the certificate warning.
- Bring you own trusted device: laptop / tablet /
Could the device be also abused ?
Case 2 : One has a limited access to the system
- Start your own Portable Firefox on USB key, with standard certificates. See the certificate warning.
Is there any other tool ?
Case 3 : One has access to a kiosk or similar looked system
- Assume everything is logged, don't trust. Poor configurations may be worked around to visit any web site, but don't type any password on it.
My employer just blocks all non-work related HTTPS trafic. Some supplier sites use HTTPS and they work, but most other sites don't.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
in most of eu it is illegal though to do it this way. But bofhs don't care.
This is extremely common. A lot of newer firewalls have it built in and it is basically just a checkbox and configuring a CA. Palo Alto prevents issues with banking by allowing a company to perform SSL decryption on all traffic, but exclude decryption on certain categories of sites. Therefore, you can perform decryption, but not decrypt banking sites. And, btw, even those "HTTPS" VPNs will often use IPSEC after the initial authentication. SSL is usually a fallback.
My feeling is there exists a trust that must be established between a good productive employee and their employer. Personally I feel if I will be fed, and feed my family by the company that I spend alot of my time at then, i should both know what they are up to, how they make money and be proud of it.
What I cannot understand if you dont trust the company you work for then why would you ever use their facility for anything outside of what they ask you, and honestly you should quit and open your own business or work for someone with whom complete transparency can be had. Vice Versa if a company doesnt trust it's employee why would it not just fire said employee.
All of us worker bees have personal lives and need to do other things than be a robot, if the company wants robots let them work on making them, if I want to be a robot then i wouldnt be able to write this because I would be working...
If you choose to be a corporate robot more power to you... just make sure you know what your signing and when they can your butt for checking on your kid in childcare while at one of their PC's then dont complain.
Peace....
Seems this could expose the employer to other liabilities. How about if the employee was looking up something online that exposed he/she had a medical issue the employer wasn't aware of, or was in-the-closet.
Employee gets fired for other reasons, finds out employer was sniffing his/her email and/or searches, sues for wrongful dismissal and discrimination.
I'm guessing "Chastity Belt".
Yep, but I chuckle far to often.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
And a little paranoid, don't you think? With totally legit tools like orvell you don't need to do such nasty things like MITM.
And it's one of the reasons I left. It was all part of the erosion of the "cool place to work" ethos that was there when I joined them.
If you can, vote with your feet. I totally appreciate that not everyone can. But if you can, do. And make sure that your employer knows about it. Also, it helps to inform the unaware masses if you know about it -- most of the people at my old work didn't know, and that, in and of itself, is possibly worse than the actual act.
If your employer has a group policy that can push a CA to your computer, then they don't even need a proxy to sniff you. They could just as easily push a keyboard logger.
If you don't trust your ad admin, gtfo.
Hi, technology guy for K-12 school district. We actively do this, use our firewall to MITM and fake proxy the SSL cert, decrypt and do deep packet inspection. All for network security and to remain compliant with CIPA. "You signed the acceptable use policy which states we do this, so you're welcome for the paycheck", is the general motto.
NIST 800-53 rev. 4 discusses this topic, so it seems like it's going to become more common. http://nvlpubs.nist.gov/nistpu...
In my work at a major website we had reports from users that they were seeing account pages for other users. Account pages were SSL, so we assumed problem was at our end since nobody should have been able to intercept them. Great consternation and mystery on our side. Users were also very upset and pointing fingers at us about it.
After looking across the reports we realized they were all coming from the same company. That company was actually caching our pages and giving out secure account pages to the wrong people from the cache on their end. I figured out it was bluecoat proxy from looking at the request headers.
Company was a European company, btw. I guess they don't care so much about privacy after all.
someone's banking info is abused then the company is liable no matter how many stupid rules the company has to attempt to protect itself.
You watch. If it hasn't happened already.
The company shouldn't have to worry about this sort of thing *as* much if they hire decent, self-respecting employees. Avoid the derelicts of the unwashed masses and the problem of theft is so remote that it might happen .001% of the time. The problem is that in IT you can have shifty people that do a helluva a job, but may not have other aspects such as common decency or care for certain "old-age etiquette".
On what planet? There is ZERO reason a company should be performing MITM attacks on its employees. UNLESS it is done by some red team that has been hired to check out security. And even those logs of employee information (ie: banking infos, e-mail passwords, etc) should be destroyed. This preserves employee faith in the company and builds trust.
If someone is stealing or embezzling it would be pretty obvious after a while (they'll spend the money eventually).
If a company is employing MITM as a "security" measure it'd give me reasons to second guess my trust in such an employer. Not only that, it could potentially give an actual attacker a way in to actually steal such info. But beyond that it would make me start guessing about the motives about such a company not just from an employee perspective, but also a business one. What kinds of other things does such a company employ?
Also, no where does Sarbanes-Oxley state that a MITM attack is a necessary method to collect financial data for reporting. Whom ever suggested that is blathering on non-sense. The only thing I could think of is some internal policy to keep trade secrets, theft of engineering plans, or some government contracting need to (ie: creating some sort of encryption that is illegal to export) keep projects safe.
Our AUP invites employees to not do anything they don't want us to know about using our equipment or on our network.
Either I don't understand your comment or you don't understand copyright law. How does having decrypted copies of your data violate your copyright claims? Re-publishing it as their own, yes - that would violate copyright.
Second, "laws against unauthorized computer access" - what laws are those? I'm wondering if you are just making this up based on what you presume the laws say.
More obviously, username Joe accessed your website, which you explicitly authorized. Joe is the one not keeping your information private.
My old employer did it! Technically, it is a violation of HIPAA if employees do anything related to their benefits on the corporate network.
can't beat'em