Slashdot Mirror
Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?
New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.
My question: How common is it for employers to perform MITM attacks on their own employees?"
Yes, that is exactly what my company did. They got ratted out when they let the CA expire, but the argument was "Our hardware, our rules."
The usage rules stated something along the lines of they had the right to inspect and alter packets on the company owned network, so there you go...
Never answer an anonymous letter. - Yogi Berra
I own my company, and no... I don't do this to my employees.
I have warned people who've abused the system (I had some casual employees who spent inordinate amounts of time on Facebook, and I've had to clamp down on music downloads that could have gotten me into trouble) but I generally use HR methods rather than technological methods to take action.
This is not a MITM attack -- it is a trusted proxy. The employees all trust the proxy, so everything works as it should. You don't trust the proxy, so you get a certificate validation error, so everything works as it should.
that your assumption is incorrect. Some firewalls do deep inspection, looking for malware coming from websites, via email, etc. They'll do SSL MITM to allow that to work. It doesn't necessarily mean they're doing anything nefarious.
"National Security is the chief cause of national insecurity." - Celine's First Law
Comment removed based on user account deletion
It's perfectly legitimate practice on a company network to intercept encrypted traffic. Security devices used for things like intrusion protection and data leakage prevention can't work properly if all you need to circumvent them is an encrypted connection, and you really want that kind of security these days if you're using a large company network, whether you're the company management, the company employees, or the company's customers/clients.
Doing it without making anyone using the network fully aware of the possibility, however, is quite a different matter, unless employees clearly aren't allowed to use company systems for personal use at all. If you've been told occasional personal use is OK and they're covertly MITMing your online banking session on your lunch break or similar, that is highly inappropriate.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
It's more likely they are running the traffic through and IDS/IPS rather than logging everything. It's also likely that well know banking sites are excluded and just passed through. It does use quite a lot of resources to scan the traffic after all.
IDS/IPS https://en.wikipedia.org/wiki/...
Don't put the actual text of your comment in the title. All the information should be in the body of the comment, and the comment should be fully understandable without the title.
Pretty evil when you figure that people routinely think little of jumping onto their bank's website and checking their account balance. I mean it is one thing to disallow that... it makes you a huge prick of course, but to MITM silently so anyone who does it is risking their personal financial data? That is absolutely unconscionable.
Not so evil since the company is responsible for what you do with their equipment and internet connection, so they often monitor your usage for things like preventing data leakage (which could result in large penalties against the employer) and browsing inappropriate web sites (if a coworkers sees you surfing porn, the *company* may be liable for allowing a hostile workplace).
With modern smartphones and cellular enabled tablets, there's no reason to do your personal browsing on your employer's network. If you don't want your employer to see it, don't do it on their equipment/network.
My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees
A completely baseless assumption. I have worked with several organizations who do this "attack" to protect themselves from malicious traffic. I have not yet seen any that logged content. The legal and regulatory risks in doing this are too high to do this sort of data collection.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Also, it's worth noting that the kinds of devices that do this are often used for compliance with rules like HIPAA or PCI DSS. You can't demonstrate that you aren't allowing sensitive data out of a supposedly secured part of your network if you can't actually see what you're allowing out of it...
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
and in a sentence beginning with "Beware of the leopard".
I don't see why the contract has to declare the version of Apple BSD on which the trusted proxy runs. Otherwise, they'd need to get everyone to sign off on "Beware of the mavericks".
At my last job I did this to a limited extent. I decrypted filesharing sites and services so that I could scan files for viruses at the gateway before they made it to a computer. However, financial and medical industry sites were specifically excluded from decryption, due to the liability issues, and we publicized the fact that we were scanning encrypted traffic.
There are genuine uses for the technology. More and more sites are going to SSL all the time. That makes impossible to sniff the traffic for virus and intrusions. For schools and libraries, many of which are required to filter for content, unencrypted SSL prevents the content filters from working correctly. I expect that more employers will turn to this in the near future. Doesn't everyone expect
Extremely.
For now, set aside the question of whether it's acceptable to monitor your employees' encrypted traffic on your network.
Technologically, it's a terrible idea. The client software and the end user no longer have any ability to inspect the actual certificates used for an HTTPS connection. From the client's perspective, all HTTPS connections are really with the MITM device and use the same cert chain. (Well, a dynamically-generated cert for the appropriate site signed by the same trusted CA using, presumably, the same process.) The MITM device is the one doing the actual SSL cert verification, and the client has to simply trust that it's doing it correctly. Moreover, none of the information about the SSL cert used gets transmitted to the client. So, no revoking CAs that are compromised. No noticing that this connection to PayPal is using a cert mysteriously signed by Deutsche Telekom (when it should be Verisign). No using non-default root CAs (say, to connect to DoD sites). No rejecting certs that are only signed with MD5. Let's just hope the MITM device knows not to use functions like strlen() and strcmp() when dealing with certificate fields.
Honestly I WOULD entirely agree if not for the MITM aspect.
If they really want to do that, setup a proxy and whitelist allowed sites. Deny SSL connections. Fine. Silent MITM attacks expose people in an unsuspecting manner; in ways that its unrealistic to expect most employees outside of IT to understand.
"I opened my eyes, and everything went dark again"
A previous employer, a game company whose name rhymes with lizard, uses MITM proxy ... All their machines use their custom cert so that their made-up cert shows 'green' on the location box when any user uses a secure web site.
No sig. Move along - nothing to see here.
Shesh, Really? Man in the Middle "attack" ? Give me a break.
If you are using an employer's resources to surf the internet just figure that *everything* you do is monitored. If you don't want to be monitored, GO HOME. If you don't trust your employer, GO HOME to do anything you don't want them to see. GO HOME or use your own internet access.
Don't try to make this into some "privacy" issue. It's not.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Yes, it's actually extremely common. Google "SSL Interception", as that's the name of the feature that is advertised on hardware/software that performs this function.
This is why I never browse private web sites on work hardware. You simply do not know how they've mangled the machine, what all it is revealing or to whom. (That's right, most large companies actually outsource security, so all of your private account numbers and passwords are going to third parties that you don't know and never will, third parties who have been indemnified and are completely immune to any kind of action or recourse from you if they screw up.) If I want to browse the web, I use a VPN connection to my house and my own personal laptop. I don't use my work smartphone for Facebook or personal email, I have my own personal phone using my own provider. When I'm working from home and VPNed into the office, I don't use my personal workstation for any work stuff, except as a VirtualBox host for a work VM, which my company has altered through group policy and direct installation of software to be configured how they want.
It's a shame that in today's work environment we have to worry about such things, but if you think the NSA is bad about spying on you, it's small potatoes compared to what your own company does. Never trust your company to just be innocently looking for malware or other intrusion detection means. Never install any software or services on your personal equipment from your company, no matter how much more convenient it will make your life. (This includes, for example, accepting elevated permissions to connect to your work email on your personal phone.) Always assume that they're watching you, looking for anything that can be used to fire you, cancel your severance, or extort whatever they want from you, whether you're just a paean on the low rung of the corporate ladder or the CEO.
I've worked very closely with both the network and security people in a large multinational corporation, and I've seen firsthand the kinds of things they do. It ain't pretty. I've seen people leave because they have moral qualms with the kind of monitoring that goes on, and people screwed because something innocent that everyone does was turned into a major issue. I cannot emphasize this enough; never, ever, ever mix your personal life with your work life, especially when it comes to communications and technology.
Let me guess. Your corporation has an 'exception' to the professional conduct guidelines when management computers are involved.
So we know it's happening - it's not really "hidden" - so I'ts up to me if I want to use Facebook or GMail or whatever - knowing the connection could be snooped. If I don't like it - I can simply not use those services from work.
As the operator of the webserver, I certainly don't consent, even if the employee had no choice..
Is there any way to detect this server-side?
The company does not own the employee, and does not own the server that the employee is talking to, and so it really is a MITM attack. The company is the middle.
Your advice is on the nose, though. It is impossible to trust any employer run system, and therefore you should never, ever do anything of a personal nature on company systems. Even if, as where I work, using the company systems for reasonable personal use is allowed.
In the real world, BYOD isn't always that simple. The moment an employer encourages their employee to do something on their own device rather than provide dedicated company equipment, there are issues of who has what access, who is responsible for what, etc. There are entire businesses making tools and consulting in this field right now, because that is how big a minefield it is becoming.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You, sir (or ma'am), are doing it right. This is precisely the thing that gets me so mad at companies today, that they view these issues as an IT problem, not an HR problem. So they spend hundreds of thousands of dollars (sometimes millions) in hardware, software, salaries, support contracts, and lost time when shit breaks, just so that management 1) won't have to do their jobs--you know, managing people, and 2) will have plausible deniability when someone does do something stupid. ("It's not my fault for not making sure my workers were working on what they were supposed to and not violating company policy; IT should have blocked that site!!!")
It's refreshing to see someone who actually gets where company policies should actually be enforced and where responsibility really ought to lie when there are gaps. Thank you!
This is very common in the military and in defense contractors, and it happens elsewhere too. There is a reason for it. Many of these organizations are worried about malicious stuff going in and/or exfiltration of non-public data going out. Employer MITM makes it easy to examine every packet for these kinds of things (to counter them). In the US, at least, it's generally accepted that employer equipment is owned by the employer, and thus they expressly have the authority to examine what goes over their own network... and as a condition of employment or computer use you probably signed something agreeing to this. I'm not a fan of this approach, but it certainly happens.
Open source software that implements crypto protocols (e.g., SSL or SSH) will (correctly!) report that there's a MITM attack. So if you want to actually *use* the software in such settings, someone has to configure the software to trust the MITM. Some admins will do this automatically. If not, you may need to do it yourself. E.G., on Firefox, install the organization's certificate.
You configure Linux systems to work in these environments, but since the certs are often files in Windows aka DOS aka CP/M format, you need to convert the files as well as put the into somewhere useful. Here's one way to deal with it.
On Fedora, given a bunch of .crt files, you can do this:
dos2unix *.crt ; cat *.crt >> /etc/pki/tls/certs/ca-bundle.crt
On Ubuntu, you can do this given a bunch of .cer files:
dos2unix *.cer ; rename 's/.cer$/.crt/' *.cer ; ca=/usr/share/ca-certificates ; mkdir -p $ca/MYORG ; cp *.crt $ca/MYORG ; cd $ca ; ls MYORG/* >> /etc/ca-certificates.conf ;
update-ca-certificates
You could avoid appending to the file if you want to, but I'll leave that as an exercise for the reader.
- David A. Wheeler (see my Secure Programming HOWTO)
Of course you have rights. So does your employer. And using your employer's network gives your employer the right to see what is traveling over his network.
That's a bit of an outdated attitude. Any "secure corporate network" has dozens or even hundreds of compromised client devices on it at any moment (and possibly a compromised employee or two). Not allowing personal devices doesn't increase security all that much. On the other hand, the benefits of BYOD are accepted by most companies that employ knowledge workers. Most places I've worked (some were really big corporations) simply require an employee to sign an acceptable use policy before connecting.
Let me turn that attitude around: are you willing to be held personally responsible when a client is compromised by a zero-day? Control is an illusion in the twenty-first century, it's way past time to start building networks that are able to function properly even with untrusted devices on them.
Many of the hotels I've stayed in iver the years, both major chains and smaller boutique hotels, and in several countries, have attested to MiM my secure mail server or http a sessions. Similarly I caught the Qantas lounge in Sydney trying this a few years ago. I never use hotel internets any more or airline lounges' wifi - it's just too creepy.
I used to have a better sig than this, but I got tired of it