Slashdot Mirror
Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
Yes, that is exactly what my company did. They got ratted out when they let the CA expire, but the argument was "Our hardware, our rules."
The usage rules stated something along the lines of they had the right to inspect and alter packets on the company owned network, so there you go...
Never answer an anonymous letter. - Yogi Berra
I'm not sure why they would need to do that as a routine task. It's fairly broad and consumes resources. It'd be pretty funny if you mentioned it to their IT Director and he replied with "huh?"
Second question: how evil is this practice?
-kgj
I own my company, and no... I don't do this to my employees.
I have warned people who've abused the system (I had some casual employees who spent inordinate amounts of time on Facebook, and I've had to clamp down on music downloads that could have gotten me into trouble) but I generally use HR methods rather than technological methods to take action.
This is not a MITM attack -- it is a trusted proxy. The employees all trust the proxy, so everything works as it should. You don't trust the proxy, so you get a certificate validation error, so everything works as it should.
that your assumption is incorrect. Some firewalls do deep inspection, looking for malware coming from websites, via email, etc. They'll do SSL MITM to allow that to work. It doesn't necessarily mean they're doing anything nefarious.
"National Security is the chief cause of national insecurity." - Celine's First Law
I lost a client because I refused to setup something similar.
Comment removed based on user account deletion
It depends on the company and its policy's of course but this is not that uncommon. I would say that in most cases this is not for spying on the employees rather protecting them by letting IDS/IPS-systems be able to read the network traffic even when using SSL to find botnets, infected hosts and malware. But the solution sure makes it *possible* for the company to spy on the employees and my personal opinion is that a company using this technique should make sure the employees know that SSL is being intercepted.
It's perfectly legitimate practice on a company network to intercept encrypted traffic. Security devices used for things like intrusion protection and data leakage prevention can't work properly if all you need to circumvent them is an encrypted connection, and you really want that kind of security these days if you're using a large company network, whether you're the company management, the company employees, or the company's customers/clients.
Doing it without making anyone using the network fully aware of the possibility, however, is quite a different matter, unless employees clearly aren't allowed to use company systems for personal use at all. If you've been told occasional personal use is OK and they're covertly MITMing your online banking session on your lunch break or similar, that is highly inappropriate.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
It's more likely they are running the traffic through and IDS/IPS rather than logging everything. It's also likely that well know banking sites are excluded and just passed through. It does use quite a lot of resources to scan the traffic after all.
IDS/IPS https://en.wikipedia.org/wiki/...
Don't put the actual text of your comment in the title. All the information should be in the body of the comment, and the comment should be fully understandable without the title.
In some cases you need to know everything that is going out the door. For example if your company is the target of industrial espionage the last thing you want is your trade secrets going out through your firewall.
I would expect a lot of companies are doing this along with other similar measures.
We deal with highly sensitive client data. All network traffic is inspected. The employees are well aware of it because it is explicitly mentioned during new hire orientation / on boarding.
As someone that recently spec'd out new firewall hardware for a medium sized company I found this 'feature' available on the latest, greatest boxes. This is the newest way for companies to run Intrusion Detection (for instance looking for CCs or key words in documents leaving the network) as well as throttling Bit Torrent and other undesirable traffic hidden in encryption. I would expect this to become the norm in the next couple of years as Gartner repeatedly writes that thorough IDS is best practice on networks in this day and age. Personally I felt like a mini-NSA and declined to roll this feature out - but I have the luxury of being the decision maker at a small company. If I was spec'ing gear for an enterprise--I'm pretty sure the hunger for latest and greatest to protect IP from the unwashed masses would prevail.
It's true that his sort of system needs to be set up carefully, and probably with the aid of both technical and legal advice if the administrator isn't an expert in this area.
Saying that, with a properly configured set of devices, it is possible to pass encrypted traffic through a security device that temporarily decrypts the data to scan it but never logs or discloses the full data set itself, so nothing sensitive is ever recorded or put in front of human eyes. There is also technology available that will cut payloads off packets or mask them out so logging tools only see the packet headers, and this kind of technology is often used for compliance with HIPAA, PCI DSS, and similar sensitive areas.
Of course, if the administrator didn't choose to use those facilities, or if they set them up incorrectly, their systems could be doing all sorts of things that potentially violate various data protection laws depending on jurisdiction.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees
A completely baseless assumption. I have worked with several organizations who do this "attack" to protect themselves from malicious traffic. I have not yet seen any that logged content. The legal and regulatory risks in doing this are too high to do this sort of data collection.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
It's retarded to carry out personal transactions over office hardware. As many have pointed out, once "in" the workplace , you aint got any rights.
Also, it's worth noting that the kinds of devices that do this are often used for compliance with rules like HIPAA or PCI DSS. You can't demonstrate that you aren't allowing sensitive data out of a supposedly secured part of your network if you can't actually see what you're allowing out of it...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
>
Don't expect privacy on a work PC.
The fact that people still do not get this amazes me!
and in a sentence beginning with "Beware of the leopard".
I don't see why the contract has to declare the version of Apple BSD on which the trusted proxy runs. Otherwise, they'd need to get everyone to sign off on "Beware of the mavericks".
If they do decrypt personal traffic, would they be responsible for any medical data they intercept, thus triggering HIPAA?
Not if they tell you not to use the corporate network for personal business.
I don't know if my company does this. I wouldn't be surprised if they do; many folks have already mentioned reasons why it might be desirable (for them) that aren't malicious.
But I want to know whether it's happening so I can decide if I want to change my behavior. How would I go about checking for such things on a Windows 7 Professional laptop?
it's actually fairly common for any fairly new generation firewall that does Deep Packet Inspection for Intrusion Prevention, Content Filtering, etc. The firewall has to be able to view the data unencrypted to scan it for the "normal" stuff. Nothing overtly hostile in the intent there, just the way it works.
To err is human, but to really foul things up requires a computer
This is a very common way to solve the problem of "how do we do a virus scan on files coming in through https?" Many organizations run a proxy server for all web requests to be able to filter content, and to do anti-virus checks, but obviously it needs to view the unencrypted content to be able to do a scan. Otherwise any employee could be downloading malicious content straight through your firewall and bypass all the checks you have in place.
"I have never let my schooling interfere with my education." - Mark Twain
in many countries regulations prevent snooping of traffic to websites related to health or banking
Watch for language in your employment agreement to the effect: "Employees outside the group health insurance and financial departments MUST NOT access health or banking sites through the company network."
The message has been, if you want privacy, use your mobile device (and don't vote for Democrats and their spy programs).
Do you honestly think that a Republican government wouldn't do just as much spying?
A previous employer, a game company whose name rhymes with lizard, uses MITM proxy ... All their machines use their custom cert so that their made-up cert shows 'green' on the location box when any user uses a secure web site.
No sig. Move along - nothing to see here.
I worked for a nuclear technology company and they set up a box which did this on the guest network. I threw up all sorts of warnings why this was a bad idea but our network security guy who cared nothing about the businesses and government entities we came into contact with, insisted that this is the way it should be done. Eventually some form of it disappeared while some other aspects remained. But seriously, how do you think the various large utilities and the NRC would feel about their secure traffic being sniffed while their representatives and executives are in the office?
Kinda breaks some trust issues doesn't it?
It's not a violation if the company isn't bound by HIPAA regulations. I this case, for a generic corp, it's just a terminal and internet access.
Is it just my observation, or are there way too many stupid people in the world?
I also expect them to be very aware of who you call from the phone at your desk.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The author is an idiot and doesn't get what's going on. By default, Cyberoam products do this. They issue their SSL cert to everyone at the company and then intercept all 3rd party ones to check them. They claim their list of revokes certificates is better than your browser's or whatever. I turned the feature off because it broke Activesync and like 8 other things.
This is very common in large, enterprise-class businesses with significant numbers of PC's dedicated to end-users, as this methodology is used in various ways to provide security (to the enterprise, while simultaneously robbing the end-user of theirs in favor of the business'). The services provided by companies likeZScaler would be perhaps the most common use of these types of MITM attacks.
"Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage
My employer does this, using Bluecoat, and doesn't tell anybody about it. Even my colleagues who are programmers aren't necessarily aware of it.
What's bizarre is the Bluecoat proxy will claim in its boilerplate that it's doing it for network security reasons, but.... they issue everyone in the company a laptop and actively encourage employees to take their laptops home at night. None of the new-hires even have a desktop at all, and veterans only get to keep an old desktop if they can prove the OS licensing is independent of the licensing the IT group administers.
So... network security? Prevention of funneling company secrets out through the firewall? Ha.
Shesh, Really? Man in the Middle "attack" ? Give me a break.
If you are using an employer's resources to surf the internet just figure that *everything* you do is monitored. If you don't want to be monitored, GO HOME. If you don't trust your employer, GO HOME to do anything you don't want them to see. GO HOME or use your own internet access.
Don't try to make this into some "privacy" issue. It's not.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Yes, it's actually extremely common. Google "SSL Interception", as that's the name of the feature that is advertised on hardware/software that performs this function.
This is why I never browse private web sites on work hardware. You simply do not know how they've mangled the machine, what all it is revealing or to whom. (That's right, most large companies actually outsource security, so all of your private account numbers and passwords are going to third parties that you don't know and never will, third parties who have been indemnified and are completely immune to any kind of action or recourse from you if they screw up.) If I want to browse the web, I use a VPN connection to my house and my own personal laptop. I don't use my work smartphone for Facebook or personal email, I have my own personal phone using my own provider. When I'm working from home and VPNed into the office, I don't use my personal workstation for any work stuff, except as a VirtualBox host for a work VM, which my company has altered through group policy and direct installation of software to be configured how they want.
It's a shame that in today's work environment we have to worry about such things, but if you think the NSA is bad about spying on you, it's small potatoes compared to what your own company does. Never trust your company to just be innocently looking for malware or other intrusion detection means. Never install any software or services on your personal equipment from your company, no matter how much more convenient it will make your life. (This includes, for example, accepting elevated permissions to connect to your work email on your personal phone.) Always assume that they're watching you, looking for anything that can be used to fire you, cancel your severance, or extort whatever they want from you, whether you're just a paean on the low rung of the corporate ladder or the CEO.
I've worked very closely with both the network and security people in a large multinational corporation, and I've seen firsthand the kinds of things they do. It ain't pretty. I've seen people leave because they have moral qualms with the kind of monitoring that goes on, and people screwed because something innocent that everyone does was turned into a major issue. I cannot emphasize this enough; never, ever, ever mix your personal life with your work life, especially when it comes to communications and technology.
Let me guess. Your corporation has an 'exception' to the professional conduct guidelines when management computers are involved.
When I worked for a "Large Corporation" I used SSH to my home computer and did my "surfing" over that connection, now I wonder how secure that was =)
"If any question why we died, Tell them because our fathers lied."
So we know it's happening - it's not really "hidden" - so I'ts up to me if I want to use Facebook or GMail or whatever - knowing the connection could be snooped. If I don't like it - I can simply not use those services from work.
It is very common for a company to install a proxy server that decrypts traffic to the outside and inspects with a data loss prevention type tool. Proxy servers act as MITM attacks to be effective at decrypting SSL traffic so it can be inspected.
It is not as common that you would be allowed to connect to this employers network. Network access control should be in place to prevent vendors or employees from connecting potentially malware laden computers to the internal network. At the least, if you gained access to their network, the same proxy that performs the MITM attack should also be prompting for authentication to access the Internet.
SillyKing
As the operator of the webserver, I certainly don't consent, even if the employee had no choice..
Is there any way to detect this server-side?
Long time security worker here...here's my two cents. To answer the original question: How common is it? I don't know the exact stats, but I'd say its common enough that you should just assume the company you work for is doing something like this unless they explicitly say they aren't (which I've read a few posters to this thread have said as much). From my perspective, theres a major reason why a company would choose to implement such a technical control: to prevent loss of intellectual property or sensitive data. Because of encryption in transit techniques like SSL, it makes it very difficult to inspect such traffic for the presence of things the company is concerned about - things like source code, financial data, credit card info, health care info, etc. What's to stop an employee from emailing out the crown jewels thru their Gmail account, assuming there are permissive web filtering policies in place? One answer is to inspect SSL traffic - and the way you do that is MITM. And not only are companies trying to stop disgruntled employees, they're also trying to stop malware - the trend now is for malware authors these days is to no longer exfiltrate data using clear text protocols like http, but to encrypt it via https. Keep in mind that a traditional defense in the distant past (10 or so years ago) for security folks has been wire tapping, and connecting the resultant data feed to some kind of inspection engine like an intrusion detection system. Increased use of encryption, both driven by right-thinking consumers and malware authors, defeats such wiretap efforts, so its no longer effective to simply watch the data fly across the network; now security admins (or intrusive nation states) have to find creative ways to decipher it to see what the data looks like. MITM is fairly cheap to do this. I don't think most companies want to snoop your encrypted traffic outside of the above stated reason. But some companies can/will abuse it and read your emails to see who you're sleeping with, if you have any side businesses going on, if you're looking for another job and sending out your resume, etc.
it is not "extremely common" for employers to log employee's banking passwords or other credentials. By all means produce some evidence if you think I am wrong.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
My employer uses a proxy solution to perform content filtering. It's used to help human resources police personnel (URL filtering) and it's also used for malware inspection and download prevention. User IDs, password, etc. is not captured. This is all agreed upon by each employee as a part of the Internet usage policy they agree to when becoming employed. Each employee is reminded annually of the Internet use requirements. There is a clear understanding that all communications on our network are monitored and there should be no expectation of privacy when using corporate systems or networks. There are some sites (banking, insurance, HR related functions) that are not inspected as a part of the proxy solution. This is in order to allow the user to see the "green bar" when accessing some of their personal data.
How is it not an attack? I don't understand the argument.
You should assume that you are being monitored. There is more spying via business than by governments and military. The illusion of privacy is exactly that. I found out when they tracked my post to slashdot during my lunch break.
FINRA rules too.
Not really.
State the law they are breaking by fulfilling their legal obligations to monitor the security and integrity of their OWN computer network.
There isn't one. It just depends on whether they access that data as a source of personal information or not, and then they are at best subject to the Data Protection legislation - which pretty much is fine so long as you inform people of what you're doing (which all these places will do, with an AUP for the network).
Don't do crap on company time that you think you have to hide from the company. And that counts what you do at lunchtime, as I bet they don't (and can't reasonably) make an distinction between those actually on a lunch break using the machines for personal purposes and those working through lunch using the machines for company purposes.
That is a very common occurrence and the reason why many people where I work conduct their personal business on a mobile device via the cellular network. And yes I am posting this from my iPhone over cellular
Yes, look into tethering.
(Posting as AC because I lost my ~1997 account long ago and can't bear the shame of a new one with a high uid)
Suck it up, buttercup! I lost my old (5 digit UID) account long ago, and had to make a new one. The shame passes with time.
. . . all private equity firms (private banks/leveraged buyout firms), hedge funds and most financial services companies. I'm surprised this is news to anyone?
In the real world, BYOD isn't always that simple. The moment an employer encourages their employee to do something on their own device rather than provide dedicated company equipment, there are issues of who has what access, who is responsible for what, etc. There are entire businesses making tools and consulting in this field right now, because that is how big a minefield it is becoming.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
We had a source code leakage through email, so first they did for google/yahoo/hotmail. Then they expanded it to any social network site. Now it's on every https site.
The latter "every" site sucks. Every site gets cert errors, and parts of the site work or fail oddly.
Buy your own computer/tablet/phablet, and if you need to do private stuff while at work, use your own 3G/4G or whatever. It is that simple. Don't use the company mail for private mail. Get your own cellphone for your private stuff. It is that simple. You can either have full control of your privacy, or you can save a few bucks by using your company's stuff for free. You cannot have it both ways. If you need more network bandwidth at work than you can transfer over a 3G network, in order to download or watch stuff which you don't want your employer to know about, then well ...
You, sir (or ma'am), are doing it right. This is precisely the thing that gets me so mad at companies today, that they view these issues as an IT problem, not an HR problem. So they spend hundreds of thousands of dollars (sometimes millions) in hardware, software, salaries, support contracts, and lost time when shit breaks, just so that management 1) won't have to do their jobs--you know, managing people, and 2) will have plausible deniability when someone does do something stupid. ("It's not my fault for not making sure my workers were working on what they were supposed to and not violating company policy; IT should have blocked that site!!!")
It's refreshing to see someone who actually gets where company policies should actually be enforced and where responsibility really ought to lie when there are gaps. Thank you!
I'm surprised Chrome users don't get errors as a result of Google's hardcoded certificate pinning?
Even if you could argue you have the Employee's compelled consent for this, you most definitely do not have the website's consent. If the website in question is based in a two-party consent wiretap state, I'm wondering if employers might in fact be committing a felony by tapping the website's communications back to the client?
Taking just interception of banking logon details as an example:
Misuse of Computers Act.
Human Rights Act.
Regulation of Investigative Powers Act.
Data Protection Act.
A whole bunch of other laws about obtaining confidential information that is nothing to do with the business.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
One of which was a case where credit card information ended up being in the proxy logs of the company that was doing this :-(
I think the increased prevalence of HTTPS in the last 2 years has forced more companies to do it.
I work for a Fortune 500 and they quietly implemented this around the end of 2013. It breaks various installers that phone home to check licenses, it breaks automatic updates like Firefox, and secure file transfer sites don't work. But even the software engineers didn't notice it for quite a while since corporate IT pushed down certificates to everyone's machine. There are a few sites that they don't intercept, presumably because it would get them in trouble or interfere on too large of a scale. Ex: Some banks are not intercepted, neither is Microsoft.com since I bet that would break Windows Update.
Check out "PDAnet" for app that doesn't require to be "rooted". Or google "tethering" for your phone type.
(note: PDAnet requires the ability to install software on the PC)
Keep in mind most "unlimited" plans this is against the TOS.
And depending on your corporation may(probably does) violate their HR policies
This is very common in the military and in defense contractors, and it happens elsewhere too. There is a reason for it. Many of these organizations are worried about malicious stuff going in and/or exfiltration of non-public data going out. Employer MITM makes it easy to examine every packet for these kinds of things (to counter them). In the US, at least, it's generally accepted that employer equipment is owned by the employer, and thus they expressly have the authority to examine what goes over their own network... and as a condition of employment or computer use you probably signed something agreeing to this. I'm not a fan of this approach, but it certainly happens.
Open source software that implements crypto protocols (e.g., SSL or SSH) will (correctly!) report that there's a MITM attack. So if you want to actually *use* the software in such settings, someone has to configure the software to trust the MITM. Some admins will do this automatically. If not, you may need to do it yourself. E.G., on Firefox, install the organization's certificate.
You configure Linux systems to work in these environments, but since the certs are often files in Windows aka DOS aka CP/M format, you need to convert the files as well as put the into somewhere useful. Here's one way to deal with it.
On Fedora, given a bunch of .crt files, you can do this:
dos2unix *.crt ; cat *.crt >> /etc/pki/tls/certs/ca-bundle.crt
On Ubuntu, you can do this given a bunch of .cer files:
dos2unix *.cer ; rename 's/.cer$/.crt/' *.cer ; ca=/usr/share/ca-certificates ; mkdir -p $ca/MYORG ; cp *.crt $ca/MYORG ; cd $ca ; ls MYORG/* >> /etc/ca-certificates.conf ;
update-ca-certificates
You could avoid appending to the file if you want to, but I'll leave that as an exercise for the reader.
- David A. Wheeler (see my Secure Programming HOWTO)
If they do decrypt personal traffic, would they be responsible for any medical data they intercept, thus triggering HIPAA?
Note: this is a gross oversimplification, but accurate relative to this story and what you're asking ...
HIPAA has to do with patient data, not medical data. If you're not a patient of the company doing the deep inspection, then there's no issue, and there's still no issue if you signed an appropriate HIPAA waiver, even if you ARE a patient and the company in question IS a hospital. If you go to HealthVault or some other site with *your* health records in it, and they are decrypting it, that's not HIPAA in the sense you're talking about.
Hell, even if they were shuffling the SSL traffic to a cloud service hosted by a 3rd party to do the scanning, AND you were a patient, AND the 3rd party was decrypting the data, that is just fine as long as the right paperwork is in place between the two companies.
What you're describing would still be visible to someone using their own device on the network, or if they checked the computer's list of trusted certificates and found the one that allowed the firewall to do this.
I actually disagree that companies have an absolute right to do this. Whatever your policy may say, employees are going to do personal tasks at work. Some activities would fall in to a grey area:
- Signing up for direct deposit may involve logging on to your bank to get your acct #
- Some new health insurance plans incentivise participation in "healthy living" programs, including filling out surveys about your personal habits on your health insurance website, that should not be intercepted
- Emergency communications (which may still be over e-mail, or SMS via google voice)
Even logging in to one's personal e-mail is to be expected. Except in cases where such security is legally mandated, I don't think it's ethical to implement something like this. Even in cases where it is mandated, a "secure mode" would be better. Perhaps keep the really secure corporate information in a VM that is subject to SSL interception, but provide non-intercepted browser with no access to the secured data.
The right to protest the State is more sacred than the State.
Probably. And I honestly don't give a shit if they do. The only thing I browse at work are work related sites. The only thing I care about is when the stupid firewall blocks me from getting to a site which I'm only trying to access for work reasons. Still, that does at least let me send sarcastic e-mails to IT.
Yeah, I had a sig once; I got bored of it.
This type of thing mostly requires the client computers to trust a CA that the firewall uses, so the ISP would need administrator style access to the target machines. Unlikely.
So as long as you're clean, there should never be a worry.
Sounds kind of Soviet...
My company does it, and it isn't for malicious reasons of spying on their users. It is done so that IDS and IPS can actually detect malware downloads and C2 communication over SSL. I suspect that's the primary reason most other companies do it as well. If they don't the company can't adequately detect or remediation most modern malware.
Detection of exploit kits via HTTP monitoring is one of our primary indicators of compromise, so this information is vital.
note: The only example the OP has about this is google maps which is not a banking site.
most proxies have a built in (often on by default) passthrough for SSL to banking, health, and finance sites. which bypasses the MITM scanning of the financial, health and banking sites.
Also most proxies don't have a method of actually seeing what was decrypted. it's generally decrypted scanned, and passed through, and discarded. no logging of personal info. other than authenticated username (domain credentials, so information the company already knows) and the site you went to.
Is it that different than your boss overhearing you discussing your medical conditions on your work phone?
If you don't want them to know about it, don't use their equipment to communicate about it.
https://techlib.barracuda.com/... About 2-3 dozen customers a week are setting this up.
No. Unless they are a medical institution, and the information is available to unauthorized people, then there'd be no question that it's perfectly fine, and HIPAA compliant. It's not a violation of HIPAA to over hear your mother talking about her condition with someone else, then run around telling everyone else about it. There may be other issues with that, but HIPAA isn't on of them.
That and the last I looked, there were still zero fines for unauthorized sharing of information, just fines for failure to release records when required to do so. HIPAA was *more* about giving you access to your own records than blocking others from it, but they lumped them together because that made sense at the time.
Learn to love Alaska
trust me, it is. a big part of the new law is 50 shades of stupid.
Onda Technology Institute
If they do decrypt personal traffic, would they be responsible for any medical data they intercept, thus triggering HIPAA?
Not if they tell you not to use the corporate network for personal business.
Setting a company policy does not relieve them of following the law if it applies.
By your standards, my writing my medical data on the side your house puts you at risk. Sorry, but that is not how it works.
The browser is indicating to the user that end-to-end security is in effect, when its actually been subverted. That, more than anything, puts it in the MITM attack category.
A proxy is am MITM because it terminates your request for a website, makes its own request to that website then once it receives the content from said website, delivers it to you.An SSL proxy does the same thing for HTTPS based content. It should not be a surprise that corporate devices trust the certificates signed by corporate proxy.
There are many reasons for implementing an SSL Proxy, the primary reason is security. Web-based malware has transitioned almost exclusively to delivery over HTTPS. If the corporation is not inspecting HTTPS traffic for malicious code, then they are ignoring a significant portion of their web traffic, upwards of 40% and growing. This means no URL Filtering, Malware Scanning, Intrusion Prevention or other security measures are applied to almost half of all web traffic.
Still sticking with the security angle is outbound security, whether it is Data Loss Prevention, Botnet Command and Control or other exiting traffic that the company wishes to prevent, you are still only seeing about half of it without SSL inspection.
Typically, SSL proxies have the ability to control what sessions are decrypted and which ones aren't. This is usually tied to a URL Filtering package that identifies the category of website being requested based on URL or URI. Then policy is designed so that requests for banking and health care sites don't get decrypted.
Many security conscious companies do use SSL proxies and unfortunately, many do not. The ones that don't occasionally make the headlines, like Target and Adobe did recently. Sadly for them it wasn't for record breaking profits, it was because of mandatory breach disclosure laws and a security perimeter that is only about 50% effective. While this was bad for Target, it was also bad for the tens of thousands of Target customers who had their private information leaked. And Adobe lost 40Gigs of proprietary source code as well as customer data.
So, if you work for a company that does use SSL proxies, you can be pretty sure the purpose and intent is not to spy on YOU the employee, but to make sure that the company is doing everything it can to protect itself, its customers and even YOU its employee from the criminals who seek to steal information like credit card data, social security numbers, intellectual property and other private data.
the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site
Is this the reason why, when I use Firefox at work, it issues complaints like these?
You have asked Firefox to connect securely to www.yahoo.com, but we can't confirm that your connection is secure.
You have asked Firefox to connect securely to www.google.com, but we can't confirm that your connection is secure.
Worse than any company rule, my wife intervened: I go locked to work with a "CB". Not sure if she wanted to have as a side effect that all those great looking female students were no-go from there on.
What about web sites with fake/invalid certificates? On a MITM-proxied connection, the user sees a trusted certificate instead. That's not protecting you - it gives a false sense of security in situations when the user should be wary.
Geez, do your private stuff on your own phone. Why waste your time with the cripple company systems?
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Many of the hotels I've stayed in iver the years, both major chains and smaller boutique hotels, and in several countries, have attested to MiM my secure mail server or http a sessions. Similarly I caught the Qantas lounge in Sydney trying this a few years ago. I never use hotel internets any more or airline lounges' wifi - it's just too creepy.
I used to have a better sig than this, but I got tired of it
My use case is our floor workers all have very restricted access to the internet at their non-user specific workstations. Since we use Google apps for our mail here I needed a way to allow access to our corporate gmail, but not their personal ones. Since all accounts are on the google.com domain I can't just block via fqdn, I need something to intercept which account they are accessing and restrict based on that.
Heck, google even documents how to do it right here https://support.google.com/a/a...
Pluralitas non est ponenda sine neccesitate
You will see this behavior pretty frequently if you SSL offload with an f5 or if you filter ssl websites with bluecoats. Im sure there are a slew of other legit apps that also do this. Eg. we blocked youtube, but everyone knew to bypass this you could goto https://youtube.com/ so we started intercepting ssl certificates to block the traffic. In our case; we only intercepted SOME ssl traffic depending on destination to avoid the issue you're discussing but presumably if we just intercepted all and filtered after the fact, you would have seen the same issue.
even to read and post rants on slashdot?!
actually, I check all my various accounts from my work machine. I assume my employer is capturing info but is not mining it.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
The client computer must be compromised for this to work. This is not MITM. The client is participating in the "attack".
Using an untrusted computer is always dangerous: keyloggers, scrapers, custom DNS. Laptops are security devices.
Verbum caro factum est
Websense makes devices to do this. I have a couple of customers that use it. It does tend to fuck up some websites though.
I browse on +1 so AC's need not respond, I won't see it.
Don't do anything on a work machine you wouldn't do if it was being shown on a 50" TV above your head. They actually have a white list of sites that they 'trust' and do not do MITM - banks mainly, but a search on Google defaulting to HTTPS is not secure.
Building a transparent linux-based proxy/firewall/gateway with sslstrip/ssldump is sexy.
the only permanence in existence, is the impermanence of existence.
2000+ employee firm in Boston and London
mandatory install of iphone profile to enable the MITM to work "transparently"
That means relying on the whitelist to be a) accurate and b) kept up to date. Not particularly reassuring.
Even intercepting the OP example breaches the laws I listed although most people don't give two hoots if their GMaps traffic is snooped. They do have a problem with financial sessions being intercepted however...
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
Well in all the countries I have lived and worked so far (not the US) this would clearly be illegal. How is it not illegal in your country? Did you inform the police?
From looking at certification chains, I can see that my employer (a state government) MITMs Google (even though GMail is blocked), and probably other sites that I haven't noticed, but they do not MITM banks, at least not the two I visit occasionally from work. I haven't done much investigation beyond that.
Riverbed Steelheads can do this to optimize SSL traffic for WAN optimization. While this could be considered a good use of MITM for a company, and I wouldn't exactly fault a company for wanting to optimize their SSL traffic on their own WAN. It's still kind of scary prospect if a company's riverbed setup were ever to be "pwnd" by a "hax0r," particularly if it was set up wrong.
So, if this is a work machine and you're using Windows, I'm going to guess you're on IE. If not, you can find similar steps for other browsers, though.
1) Connect to an HTTPS site.
2) Find the "Lock" icon in the address bar (it should be on the right side).
3) Click on it; the exact result of doing this will vary by version but you should get some info about the security of the connection.
4) Click on "View Certificates" (on IE10+ this is right in the little box that appears when you click the icon; I don't have an older version available to check).
5) Check each certificate in the chain of trust. Under the General tab, look at Issued By. Also look up the "chain of trust" to check the signing certificates in the Certification Path tab.
They should be signed by known certificate authorities (if you aren't sure whether a given company is a known CA, look it up online). If the cert is instead signed by your employer or something like that, you're pwned.
There's no place I could be, since I've found Serenity...
I would like to ask a stupid question. If my employer is doing this, and I'm using Chrome to look at, say, https://mail.google.com/, when I click on the little green lock next to the URL to view the Certificate Information, and my company's name is NOT present (the cert path is GeoTrust Global / Google Internet Authority / mail.google.com) can trust that to mean my company is not intercepting that traffic? Or can my company make it appear this way and still be intercepting my traffic? I suspect there are a number of people who would like to know the answer to this. I'm hoping it's not as stupid a question as it sounds.
--PK (Tech Junkie / Junk Techie)
Looks like to be very common. My current employer does it, and the one before it did it also. It's very annoying.
This all raises an interesting question: Imagine that I need to purchase something for work. If I don't have a company credit card, and if it is allowed by company policy, I might purchase such an item using a personal credit card using my work computer and ask for reimbursement later. Now imagine that there is a data breach in the IT department with the result that the proxy server log falls into the wrong hands and the black hats have my credit card information. Imagine they use that information to make a much larger purchase. Would my company be liable to the credit card company because their interception of the communication resulted in a tangible loss to the credit card company? Or should they be made to eat the loss. I think Visa would have a very good case against such a company since their negligence in protected the intercepted data exposed Visa to a loss it had seemingly defended against by using https.
Shall we focus on how one can detect this situation ?
Case 1 : One have access to the network ... Start your own browser, see the certificate warning.
- Bring you own trusted device: laptop / tablet /
Could the device be also abused ?
Case 2 : One has a limited access to the system
- Start your own Portable Firefox on USB key, with standard certificates. See the certificate warning.
Is there any other tool ?
Case 3 : One has access to a kiosk or similar looked system
- Assume everything is logged, don't trust. Poor configurations may be worked around to visit any web site, but don't type any password on it.
My employer just blocks all non-work related HTTPS trafic. Some supplier sites use HTTPS and they work, but most other sites don't.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
This is extremely common. A lot of newer firewalls have it built in and it is basically just a checkbox and configuring a CA. Palo Alto prevents issues with banking by allowing a company to perform SSL decryption on all traffic, but exclude decryption on certain categories of sites. Therefore, you can perform decryption, but not decrypt banking sites. And, btw, even those "HTTPS" VPNs will often use IPSEC after the initial authentication. SSL is usually a fallback.
Seems this could expose the employer to other liabilities. How about if the employee was looking up something online that exposed he/she had a medical issue the employer wasn't aware of, or was in-the-closet.
Employee gets fired for other reasons, finds out employer was sniffing his/her email and/or searches, sues for wrongful dismissal and discrimination.
I'm guessing "Chastity Belt".
Yep, but I chuckle far to often.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Why?
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
And it's one of the reasons I left. It was all part of the erosion of the "cool place to work" ethos that was there when I joined them.
If you can, vote with your feet. I totally appreciate that not everyone can. But if you can, do. And make sure that your employer knows about it. Also, it helps to inform the unaware masses if you know about it -- most of the people at my old work didn't know, and that, in and of itself, is possibly worse than the actual act.
NIST 800-53 rev. 4 discusses this topic, so it seems like it's going to become more common. http://nvlpubs.nist.gov/nistpu...
In Portugal and most of Europe, a contract cannot go against the law. In case it does, that clause or the hole thing would be rendered void.
My old employer did it! Technically, it is a violation of HIPAA if employees do anything related to their benefits on the corporate network.