Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.

In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.

My question: How common is it for employers to perform MITM attacks on their own employees?"

Re:Not MITM

[trigeek]

This is a Man-in-the-Middle if the end-user is not notified of it.

Paranoia

[jbmartin6]

My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees

A completely baseless assumption. I have worked with several organizations who do this "attack" to protect themselves from malicious traffic. I have not yet seen any that logged content. The legal and regulatory risks in doing this are too high to do this sort of data collection.

Re:Evil?

[RatherBeAnonymous]

At my last job I did this to a limited extent. I decrypted filesharing sites and services so that I could scan files for viruses at the gateway before they made it to a computer. However, financial and medical industry sites were specifically excluded from decryption, due to the liability issues, and we publicized the fact that we were scanning encrypted traffic.

There are genuine uses for the technology. More and more sites are going to SSL all the time. That makes impossible to sniff the traffic for virus and intrusions. For schools and libraries, many of which are required to filter for content, unencrypted SSL prevents the content filters from working correctly. I expect that more employers will turn to this in the near future. Doesn't everyone expect

Re:Evil?

[TheCarp]

Honestly I WOULD entirely agree if not for the MITM aspect.

If they really want to do that, setup a proxy and whitelist allowed sites. Deny SSL connections. Fine. Silent MITM attacks expose people in an unsuspecting manner; in ways that its unrealistic to expect most employees outside of IT to understand.

Re:Yes they did.

[JohnFen]

In the US, this is totally legal, although there may be disclosure requirements (I'm not sure). The "my system, my rules" argument wins. My workplace does this, and they informed me that they do this when I was hired.

Re:Maybe the company's not actually doing it?

[JohnFen]

The company does not own the employee, and does not own the server that the employee is talking to, and so it really is a MITM attack. The company is the middle.

Your advice is on the nose, though. It is impossible to trust any employer run system, and therefore you should never, ever do anything of a personal nature on company systems. Even if, as where I work, using the company systems for reasonable personal use is allowed.

Re:Yes they did.

[houghi]

Same in Belgium and I would guess the rest of Europe. In Europe the laws tend to lean more towards users and not companies. Also more towards privacy.

Several places I worked have been VERY upfront on what they were doing. Most also worked with whitelists. The majority of people do not need any internet access anyway. Next they place several Internet PCs on several places, so people can look up their facebook during their breaks.

This makes it safer for everybody, although when new staff arrives I tell them that the public PC is not something I would do any banking on, because I have NO idea how safe it realy is and it is THEIR fault if somebody robs their bank by using a public PC.

Also up front explanation that company mail may not be used for personal use. As the Intenetcmputers are available (obviously seperated from the rest of the network. They even have a seperate internet connection.) there is no excuse to do that.

What I hate is companies who focus on people looking at porn. Why is watching 4 minutes of porn worse then 4 hours of BBC news? One giggled perhaps a bit and the other did not work for half a day. To me the second is way worse.

DING DING DING!!!

[KingSkippus]

You, sir (or ma'am), are doing it right. This is precisely the thing that gets me so mad at companies today, that they view these issues as an IT problem, not an HR problem. So they spend hundreds of thousands of dollars (sometimes millions) in hardware, software, salaries, support contracts, and lost time when shit breaks, just so that management 1) won't have to do their jobs--you know, managing people, and 2) will have plausible deniability when someone does do something stupid. ("It's not my fault for not making sure my workers were working on what they were supposed to and not violating company policy; IT should have blocked that site!!!")

It's refreshing to see someone who actually gets where company policies should actually be enforced and where responsibility really ought to lie when there are gaps. Thank you!

Re:Yes they did.

[maxwell+demon]

For example, I have to pay travel expenses from my own money, and then get them reimbursed afterwards. That is, I may have a legitimate reason to access my bank account in order to e.g. pay my flight. But that doesn't give my employer the right to access my banking password (and possibly look what's going on in my bank account).

Also, if I'm not allowed to access my bank account from the company network, the right thing is not to decrypt it, but to block it.