×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

Unknown Lamer posted about 9 months ago | from the padlock-icon-says-I'm-good-right dept.

Security 572

New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.

In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.

My question: How common is it for employers to perform MITM attacks on their own employees?"

Sorry! There are no comments related to the filter you selected.

Yes they did. (4, Interesting)

funwithBSD (245349) | about 9 months ago | (#46410065)

Yes, that is exactly what my company did. They got ratted out when they let the CA expire, but the argument was "Our hardware, our rules."

The usage rules stated something along the lines of they had the right to inspect and alter packets on the company owned network, so there you go...

Re:Yes they did. (5, Informative)

Jeremiah Cornelius (137) | about 9 months ago | (#46410395)

This is very common

Very.

Your employer probably does little with this - it is usually a part of the configuration for Microsoft Forefront TMG (Formerly ISA Server). I f you have Outlook Web Access, and do any spend on MS recommended practices, then you have a TMG, and 9 out of 10 times, the "Inspection Proxy for SSL" feature.

The intent is to scrub the stream for malware attachments and malicious XML, etc. Most are set-and-forget, with little competence to exploit or understand what they have done.

Bigger corporations, or those aware of data sensitivity issues are another matter. Outbound traffic may be subject to this inspection, for DLP with something like Vontu Network Prevent. These controls are managed by folks who spend 25K on netsec, not 25 C's. :-) Then? Clever operators may be logging and trapping all kinds of info. Reports are very "compliance centric" 'tho. The DLP operator team usually has a fair amount of audit scrutiny. Usually...

Any way, TLS is irrevocably broken. It is reasonable security, trivially implemented and nearly as easily defeated. You own DNS and the path? You own the world.

I am involved in defining a new transport security mechanism for my company's products, because TLS/SSL of handwaving, and IPsec brittleness.

Re:Yes they did. (1)

AK Marc (707885) | about 9 months ago | (#46410413)

Yup, most large corporations do this, I've worked for more that did this than didn't.

Maybe the company's not actually doing it? (1)

ip_freely_2000 (577249) | about 9 months ago | (#46410081)

I'm not sure why they would need to do that as a routine task. It's fairly broad and consumes resources. It'd be pretty funny if you mentioned it to their IT Director and he replied with "huh?"

Re:Maybe the company's not actually doing it? (1, Interesting)

houstonbofh (602064) | about 9 months ago | (#46410265)

I'm not sure why they would need to do that as a routine task. It's fairly broad and consumes resources. It'd be pretty funny if you mentioned it to their IT Director and he replied with "huh?"

Actually, a well configured proxy saves resources. Caching of images can save a lot, and filtering of advertising saves a huge amount of bandwidth. Then there is the filtering of content that could expose the company to lawsuits (Like porn in a harassment suit) and legal issues, and of course, job searches on company time.

And calling it an attack is a joke. There is no middle, as the company owns everything on the network. If you have private stuff to do, use your tablet.

Re:Maybe the company's not actually doing it? (0)

Anonymous Coward | about 9 months ago | (#46410319)

This is trivial to do. In a past life, I worked for a midsize firm which had fairly beefy appliances in place whose job it was, was to store every bit flying through the networks, and if it was SSL/TLS, decrypt it and store it indefinitely so auditors can dig through it later come HR review time and pass a list to managers.

Re:Maybe the company's not actually doing it? (1)

maas15 (1357089) | about 9 months ago | (#46410363)

I know certain commercial products, for example Fortanet firewalls, have this functionality built into them.

Re:Maybe the company's not actually doing it? (1)

AK Marc (707885) | about 9 months ago | (#46410439)

Yes, and cheap BlueCoats do it too, and they are common.

Evil? (1)

handy_vandal (606174) | about 9 months ago | (#46410085)

Second question: how evil is this practice?

Re:Evil? (1)

Anonymous Coward | about 9 months ago | (#46410143)

Pretty evil when you figure that people routinely think little of jumping onto their bank's website and checking their account balance. I mean it is one thing to disallow that... it makes you a huge prick of course, but to MITM silently so anyone who does it is risking their personal financial data? That is absolutely unconscionable.

Re:Evil? (3, Insightful)

hawguy (1600213) | about 9 months ago | (#46410255)

Pretty evil when you figure that people routinely think little of jumping onto their bank's website and checking their account balance. I mean it is one thing to disallow that... it makes you a huge prick of course, but to MITM silently so anyone who does it is risking their personal financial data? That is absolutely unconscionable.

Not so evil since the company is responsible for what you do with their equipment and internet connection, so they often monitor your usage for things like preventing data leakage (which could result in large penalties against the employer) and browsing inappropriate web sites (if a coworkers sees you surfing porn, the *company* may be liable for allowing a hostile workplace).

With modern smartphones and cellular enabled tablets, there's no reason to do your personal browsing on your employer's network. If you don't want your employer to see it, don't do it on their equipment/network.

Re:Evil? (1)

Anonymous Brave Guy (457657) | about 9 months ago | (#46410295)

With modern smartphones and cellular enabled tablets, there's no reason to do your personal browsing on your employer's network. If you don't want your employer to see it, don't do it on their equipment/network.

True up to a point, but the moment anyone mentions the phrase "bring your own device" and anyone from your company touches your employee's private property, a whole bunch of similar issues are going to come up.

Re:Evil? (5, Insightful)

TheCarp (96830) | about 9 months ago | (#46410455)

Honestly I WOULD entirely agree if not for the MITM aspect.

If they really want to do that, setup a proxy and whitelist allowed sites. Deny SSL connections. Fine. Silent MITM attacks expose people in an unsuspecting manner; in ways that its unrealistic to expect most employees outside of IT to understand.

Re:Evil? (1)

houstonbofh (602064) | about 9 months ago | (#46410287)

If you jump on your bank website from a system you don't own, you are already way into the risky category here... Use your smart phone for that stuff.

Re:Evil? (4, Insightful)

RatherBeAnonymous (1812866) | about 9 months ago | (#46410411)

At my last job I did this to a limited extent. I decrypted filesharing sites and services so that I could scan files for viruses at the gateway before they made it to a computer. However, financial and medical industry sites were specifically excluded from decryption, due to the liability issues, and we publicized the fact that we were scanning encrypted traffic.

There are genuine uses for the technology. More and more sites are going to SSL all the time. That makes impossible to sniff the traffic for virus and intrusions. For schools and libraries, many of which are required to filter for content, unencrypted SSL prevents the content filters from working correctly. I expect that more employers will turn to this in the near future. Doesn't everyone expect

Re:Evil? (1)

Timothy Hartman (2905293) | about 9 months ago | (#46410433)

Many businesses find the idea of people doing their personal banking on the clock unconscionable. The firewall package we have when it has a hiccup reverts back to doing HTTPS interception, so for us turning it off is an option rather than it being defaulted to off.

Re:Evil? (1)

AK Marc (707885) | about 9 months ago | (#46410495)

Secure connections are insecure (for the network). If you SSL into your (infected) home server, and download a virus, how is their AV firewall supposed to catch it? If 1000 people all go to BoA or some other site checking their checking balance every day, how are they supposed to save bandwidth with caching?

So they have valid reasons to do it. It's company computer, company network, why would you allow unsecured computers full access to your network and configure them to waste resources?

Yes and no (2)

Anonymous Brave Guy (457657) | about 9 months ago | (#46410165)

It's perfectly legitimate practice on a company network to intercept encrypted traffic. Security devices used for things like intrusion protection and data leakage prevention can't work properly if all you need to circumvent them is an encrypted connection, and you really want that kind of security these days if you're using a large company network, whether you're the company management, the company employees, or the company's customers/clients.

Doing it without making anyone using the network fully aware of the possibility, however, is quite a different matter, unless employees clearly aren't allowed to use company systems for personal use at all. If you've been told occasional personal use is OK and they're covertly MITMing your online banking session on your lunch break or similar, that is highly inappropriate.

Re:Yes and no (3, Insightful)

mlts (1038732) | about 9 months ago | (#46410345)

Sometimes watching encrypted traffic may be needed for some regulatory compliance. Of course, the best thing would be to have a terminal server set up to allow people to use their Web browser free and clear, while direct connections to the Internet would be monitored/logged. This way, personal E-mail and banking info isn't touched, while sensitive internal data is well protected.

Re:Evil? (2)

blueg3 (192743) | about 9 months ago | (#46410419)

Extremely.

For now, set aside the question of whether it's acceptable to monitor your employees' encrypted traffic on your network.

Technologically, it's a terrible idea. The client software and the end user no longer have any ability to inspect the actual certificates used for an HTTPS connection. From the client's perspective, all HTTPS connections are really with the MITM device and use the same cert chain. (Well, a dynamically-generated cert for the appropriate site signed by the same trusted CA using, presumably, the same process.) The MITM device is the one doing the actual SSL cert verification, and the client has to simply trust that it's doing it correctly. Moreover, none of the information about the SSL cert used gets transmitted to the client. So, no revoking CAs that are compromised. No noticing that this connection to PayPal is using a cert mysteriously signed by Deutsche Telekom (when it should be Verisign). No using non-default root CAs (say, to connect to DoD sites). No rejecting certs that are only signed with MD5. Let's just hope the MITM device knows not to use functions like strlen() and strcmp() when dealing with certificate fields.

Re:Evil? (1)

AK Marc (707885) | about 9 months ago | (#46410451)

Most places that do it are doing it solely for the cache savings. They don't "inspect" the traffic, though they could.

No (5, Interesting)

dskoll (99328) | about 9 months ago | (#46410087)

I own my company, and no... I don't do this to my employees.

I have warned people who've abused the system (I had some casual employees who spent inordinate amounts of time on Facebook, and I've had to clamp down on music downloads that could have gotten me into trouble) but I generally use HR methods rather than technological methods to take action.

Re:No (0)

50000BTU_barbecue (588132) | about 9 months ago | (#46410317)

So you fire them, is that what that euphemism means?

Re:No (2)

dskoll (99328) | about 9 months ago | (#46410399)

I have never fired someone for abusing our Internet policy. I've issued warnings, though.

Re:No (1)

RatherBeAnonymous (1812866) | about 9 months ago | (#46410457)

It doesn't have to be a question of abuse, it's more a question of security. If your firewall/intrusion detection systems don't decrypt SSL, they can't scan it for viruses/malware/intrusions/etc.

Not MITM (3, Insightful)

SparkleMotion88 (1013083) | about 9 months ago | (#46410093)

This is not a MITM attack -- it is a trusted proxy. The employees all trust the proxy, so everything works as it should. You don't trust the proxy, so you get a certificate validation error, so everything works as it should.

Re:Not MITM (0)

Doug Otto (2821601) | about 9 months ago | (#46410123)

This +1

Re:Not MITM (5, Insightful)

trigeek (662294) | about 9 months ago | (#46410139)

This is a Man-in-the-Middle if the end-user is not notified of it.

Re:Not MITM (3, Funny)

Anonymous Coward | about 9 months ago | (#46410289)

Oh the end-user was undoubtedly notified of it, probably somewhere at the bottom of their contract, in tiny writing, after the section about the lavatory and in a sentence beginning with "Beware of the leopard".

Beware of the leopard^W lion^w mavericks (3, Funny)

tepples (727027) | about 9 months ago | (#46410361)

and in a sentence beginning with "Beware of the leopard".

I don't see why the contract has to declare the version of Apple BSD on which the trusted proxy runs. Otherwise, they'd need to get everyone to sign off on "Beware of the mavericks".

Re:Not MITM (1)

houstonbofh (602064) | about 9 months ago | (#46410315)

This is a Man-in-the-Middle if the end-user is not notified of it.

But he was notified. He got the broken cert. And employees probably got notice in that packet they did not read.

Re: Not MITM (1)

QuietLagoon (813062) | about 9 months ago | (#46410145)

trusted proxy

Trusted by whom? I certainly don't trust a MiTM proxy, even when it has the word "trusted" in its name.

Re: Not MITM (1)

houstonbofh (602064) | about 9 months ago | (#46410323)

trusted proxy

Trusted by whom? I certainly don't trust a MiTM proxy, even when it has the word "trusted" in its name.

Trusted by the people who own the computer.

Re: Not MITM (0)

QuietLagoon (813062) | about 9 months ago | (#46410415)

AT&T's computers are owned by AT&T. Tell me why I should trust them with my phone call metadata.

Re: Not MITM (0)

Anonymous Coward | about 9 months ago | (#46410333)

Then you shouldn't install its signing certificate on your computer.

Re: Not MITM (1)

QuietLagoon (813062) | about 9 months ago | (#46410385)

Then you shouldn't install its signing certificate on your computer.

In a work environment, I may not have that option.

Re:Not MITM (3, Insightful)

cream wobbly (1102689) | about 9 months ago | (#46410159)

Correct. It may resemble a MITM attack, but it's a proxy for pete's sake! To those like the OP who don't quite get this, refer to the agreement you signed for acceptable use of company resources before they allowed you on site.

Trusted Proxy. (0)

Anonymous Coward | about 9 months ago | (#46410193)

Agreed.

Re:Not MITM (1)

parlancex (1322105) | about 9 months ago | (#46410211)

Well that's all semantics isn't it? The reality is that in many countries regulations prevent snooping of traffic to websites related to health or banking, so your company can write whatever policy it likes, it is still explicitly illegal activity.

Re:Not MITM (0)

Anonymous Coward | about 9 months ago | (#46410321)

Odds are, the employer, like mine has a policy forbidding the use of company resources for personal usage. So, employees shouldn't be accessing those sites via their employer's computers and network.

Re:Not MITM (0)

Anonymous Coward | about 9 months ago | (#46410367)

and most proxys have ssl passthrough for banking and health...

google maps is neither banking nor health thus not subject to the SSL passthrough

Re:Not MITM (1)

Adrian Lopez (2615) | about 9 months ago | (#46410445)

"and most proxys have ssl passthrough for banking and health..."

Except, of course, for websites not recognized by the proxy as containing "banking" or "health" information.

Pass the blame to employees visiting such sites (1)

tepples (727027) | about 9 months ago | (#46410421)

in many countries regulations prevent snooping of traffic to websites related to health or banking

Watch for language in your employment agreement to the effect: "Employees outside the group health insurance and financial departments MUST NOT access health or banking sites through the company network."

Re:Not MITM (0)

Anonymous Coward | about 9 months ago | (#46410239)

is this 'trusted' machine running the trustworth windoze os?

Re:Not MITM (4, Informative)

Adrian Lopez (2615) | about 9 months ago | (#46410387)

A trusted proxy is a "Man in the Middle", so I presume your objection is to the word "attack"? Whatever you choose to call it, the fact is that SSL certificates are transparently being rewritten in order to capture data each website's SSL certificate was meant to stop from being captured. "Trusted proxy" is just a friendly euphemism which attempts to justify what may or may not be a legitimate practice, depending on what's being collected and whether or not the users are, in fact, specifically aware of it.

A Wolf in Sheeps Clothing (0)

Anonymous Coward | about 9 months ago | (#46410405)

Just because they set it up to look like a trusted proxy, it defeats the trust of HTTPS. Are they wrong for doing this? That's debatable.

Very common (0)

Anonymous Coward | about 9 months ago | (#46410097)

If you don't own/administer the laptop you run, assume that you are being monitored via a client side tool. Even so, my university made their own CA (had a laptop program up to last year; now they use it as part of the installer for the Network Access Control tool they put on, which uses passive TCP fingerprinting & user agent in tandem to tell if you run a PC or Mac & require software installation), and used a Fortinet Analyzer to log HTTPS/IM/email/etc. traffic.

My current customer issues their own CA and Cisco IronPort and MITMs SSL by default. Broke several sites, including my employer's website (X.509 certificate authentication was interrupted because the CA Changed and it didn't think to present the client side cert - they had to add our domain to the exceptions list for MITM). They do so for logging.

My own employer does not seem to issue CAs over existing ones, but there's so much management software on the thing I don't expect privacy when using it anyways.

Don't expect privacy on a work PC.

Re:Very common (1)

houstonbofh (602064) | about 9 months ago | (#46410351)

>

Don't expect privacy on a work PC.

The fact that people still do not get this amazes me!

I know my employer does. (0)

Anonymous Coward | about 9 months ago | (#46410103)

Furthermore, they do all within their power to block any browser other than IE 8. Even apps like Eclipse are crippled, unless you can figure out the arcane and undocumented settings to use said man-in-the-middle proxies.

The guest network is not encumbered in that way, though, and that's where I transact all non-work-related business - like this post.

Essentially, I vote with my e-feet; I don't like the security policy on the corporate net, so I don't use it for non-corporate communication. If their idiotic so-called "security" policies lead to a major data breach, it's their data, not mine, and I'll point and laugh as I leave for the next contract.

Rule #1: Never access non-work related stuff in th (0)

Anonymous Coward | about 9 months ago | (#46410111)

And if you really really need to, get yourself a smart phone with a fat data-plan.

Re:Rule #1: Never access non-work related stuff in (3, Informative)

Anonymous Coward | about 9 months ago | (#46410183)

Don't put the actual text of your comment in the title. All the information should be in the body of the comment, and the comment should be fully understandable without the title.

I suspect... (3, Informative)

msauve (701917) | about 9 months ago | (#46410113)

that your assumption is incorrect. Some firewalls do deep inspection, looking for malware coming from websites, via email, etc. They'll do SSL MITM to allow that to work. It doesn't necessarily mean they're doing anything nefarious.

Re:I suspect... (2)

ruir (2709173) | about 9 months ago | (#46410169)

Finaly a sane comment...If the poster doesnt like what they do, he can browse the email/banking at home or via his mobile. Their network, their rules.

Re:I suspect... (1)

jones_supa (887896) | about 9 months ago | (#46410243)

It doesn't necessarily mean they're doing anything nefarious.

I either do not expect the company to be doing anything nefarious, but on this day and age of data surveillance, I'm glad that an alarm bell rings in people's minds.

Re:I suspect... (1)

ImprovOmega (744717) | about 9 months ago | (#46410491)

Exactly. This is how you do a transparent proxy with SSL. It doesn't mean that data is being stored somewhere, it just means you're taking reasonable precautions to protect against malware/spam/internet threats. Yes, you theoretically *could* use this to sniff passwords and stuff, I guess, but that would just open up all kinds of liabilities. The easiest and cheapest thing is to discard the data once it's passed inspection. That's what most of these devices do.

HIPAA violations? (0)

Anonymous Coward | about 9 months ago | (#46410117)

If they do decrypt personal traffic, would they be responsible for any medical data they intercept, thus triggering HIPAA?

Re:HIPAA violations? (1)

Anonymous Brave Guy (457657) | about 9 months ago | (#46410261)

It's true that his sort of system needs to be set up carefully, and probably with the aid of both technical and legal advice if the administrator isn't an expert in this area.

Saying that, with a properly configured set of devices, it is possible to pass encrypted traffic through a security device that temporarily decrypts the data to scan it but never logs or discloses the full data set itself, so nothing sensitive is ever recorded or put in front of human eyes. There is also technology available that will cut payloads off packets or mask them out so logging tools only see the packet headers, and this kind of technology is often used for compliance with HIPAA, PCI DSS, and similar sensitive areas.

Of course, if the administrator didn't choose to use those facilities, or if they set them up incorrectly, their systems could be doing all sorts of things that potentially violate various data protection laws depending on jurisdiction.

Re:HIPAA violations? (4, Informative)

Anonymous Brave Guy (457657) | about 9 months ago | (#46410339)

Also, it's worth noting that the kinds of devices that do this are often used for compliance with rules like HIPAA or PCI DSS. You can't demonstrate that you aren't allowing sensitive data out of a supposedly secured part of your network if you can't actually see what you're allowing out of it...

Re:HIPAA violations? (1)

houstonbofh (602064) | about 9 months ago | (#46410371)

If they do decrypt personal traffic, would they be responsible for any medical data they intercept, thus triggering HIPAA?

Not if they tell you not to use the corporate network for personal business.

It's not a violation... (1)

Overzeetop (214511) | about 9 months ago | (#46410485)

It's not a violation if the company isn't bound by HIPAA regulations. I this case, for a generic corp, it's just a terminal and internet access.

More than you think... (1)

Anonymous Coward | about 9 months ago | (#46410121)

I lost a client because I refused to setup something similar.

Very Common (0)

Anonymous Coward | about 9 months ago | (#46410125)

I encountered the FBI doing this in 2003, and my current company, a Fortune 100 company, also employs this technology.

We use it to decrypt and scan all HTTPS communication to prevent confidential information from leaking out of the company as well as to enforce professional conduct guidelines (no naughty words or boobies!).

I would wager this type of proxy with fake certs is fairly common at large companies in the U.S. today.

Maybe it is not the employer. (0)

Anonymous Coward | about 9 months ago | (#46410135)

I wonder if the employer even knows? In most firms the employer rarely sets up the network themselves and hold the keys. They usually put the trust of the network in their systems administrators. I have worked at a few firms where the system admins would all treat the network like their little play toy. I would point fingers at whoever set up the proxy before pointing them at management. In my experience management is really not that savvy.

Birds of a feather flock together.

Of course (0)

Anonymous Coward | about 9 months ago | (#46410141)

When I connect to my employer's network I get a pop-up that says: "YOU SHOULD HAVE NO EXPECTATION OF PRIVACY"

It's know as content inspection (0)

Anonymous Coward | about 9 months ago | (#46410151)

The greatest avenue for malware infection is from web traffic. Organizations that take security seriously will open the https at a proxy that analyzes the content for malware and then either blocks it or allows it. Who said anything about recording all web traffic? My proxy logs are large enough... nevermind the idea of logging content!

Not that uncommon (1)

ZerXes (1986108) | about 9 months ago | (#46410163)

It depends on the company and its policy's of course but this is not that uncommon. I would say that in most cases this is not for spying on the employees rather protecting them by letting IDS/IPS-systems be able to read the network traffic even when using SSL to find botnets, infected hosts and malware. But the solution sure makes it *possible* for the company to spy on the employees and my personal opinion is that a company using this technique should make sure the employees know that SSL is being intercepted.

More likely an IPS (4, Informative)

gweeks (91403) | about 9 months ago | (#46410167)

It's more likely they are running the traffic through and IDS/IPS rather than logging everything. It's also likely that well know banking sites are excluded and just passed through. It does use quite a lot of resources to scan the traffic after all.

IDS/IPS https://en.wikipedia.org/wiki/... [wikipedia.org]

Very common in my experience (0)

Anonymous Coward | about 9 months ago | (#46410177)

This is very common to protect against exploitation of the SSL hole. Blocking your VPN protocol also protects network resources, as malware can use this technology to bypass firewall systems too.

Remember, the equipment and bandwidth of your client belongs is theirs to do with as they see fit. Obviously capturing people's banking data, and USING it, is illegal and would prosecutable to the fullest extent of law.

My hardware, my rules (0)

Anonymous Coward | about 9 months ago | (#46410185)

We intercept HTTPS proxy here, we just inform our employees about it upfront. Our computers are exclusively meant for work, not personal use. We provide an entirely separate public WiFi network for employees, and guests.

Necessary sometimes (1)

the eric conspiracy (20178) | about 9 months ago | (#46410191)

In some cases you need to know everything that is going out the door. For example if your company is the target of industrial espionage the last thing you want is your trade secrets going out through your firewall.

I would expect a lot of companies are doing this along with other similar measures.

its not uncommon.... (0)

Anonymous Coward | about 9 months ago | (#46410199)

My employer (a large community college district in California) does something similar. Using Palo Alto Firewalls they are able to intercept the SSL certificate, decrypt the traffic, inspect it, and put it back together again. Unlike in the OP scenario with no indication to the end user. The rationale is that many viruses and botnets use encryption to prevent detection. While i think their hearts in a the right place I think it can potentially open an organization up to litigation if (when) something goes wrong. Imagine your organization does this MITM (attack) and someone in IT performs a deep packet inspection and your bank details, PII or whatever is viewable. Scary thought that a curious shlub in IT (i say that being a shulb in IT) may be reading your gmail conversations, seeing your banking info, and all the other stuff you'd want to keep private. Obviously though at the end of the day, any organization has the right to monitor employees using company hardware.

It happens here (1)

dave562 (969951) | about 9 months ago | (#46410201)

We deal with highly sensitive client data. All network traffic is inspected. The employees are well aware of it because it is explicitly mentioned during new hire orientation / on boarding.

Man in the middle? (0)

Anonymous Coward | about 9 months ago | (#46410203)

This is a security department looking for people who are browsing porn, or using ssl to hide illegal activity. They aren't looking for banking info. (Although it's there) If you are doing banking on a network not your own, then it’s your bad...

The work computers are not your property; they belong to the company you work for and are for work, plain and simple. If you don't like the situation you can certainly (and should) move on to another job.

Actually looking for a way to do this... (0)

exabrial (818005) | about 9 months ago | (#46410221)

Malware is pretty easy to download over HTTPs, since an IDS can't fingerprint it. I've been looking for a firewall that can do this reliably, so I'd love to hear solutions that people have found work reasonably well.

Management has no interest in employee's personal lives. Hence we don't block facebook, youtube, etc. The goal is to keep the company asset's safe. Employees are made aware during their orientation that we have the ability to monitor their computers in every way. The message has been, if you want privacy, use your mobile device (and don't vote for Democrats and their spy programs).

pointless political attack (1)

Chirs (87576) | about 9 months ago | (#46410447)

The message has been, if you want privacy, use your mobile device (and don't vote for Democrats and their spy programs).

Do you honestly think that a Republican government wouldn't do just as much spying?

We do this... however... (0)

Anonymous Coward | about 9 months ago | (#46410227)

All banking, finance, government, health, and some other more private info sites are NOT included and go direct (no MITM proxy)... a company who does do MITM on these sites, especially in the health area could be in line for some serious legal issues...

Will be the norm shortly.... (1)

Wandering_Burr (730075) | about 9 months ago | (#46410229)

As someone that recently spec'd out new firewall hardware for a medium sized company I found this 'feature' available on the latest, greatest boxes. This is the newest way for companies to run Intrusion Detection (for instance looking for CCs or key words in documents leaving the network) as well as throttling Bit Torrent and other undesirable traffic hidden in encryption. I would expect this to become the norm in the next couple of years as Gartner repeatedly writes that thorough IDS is best practice on networks in this day and age. Personally I felt like a mini-NSA and declined to roll this feature out - but I have the luxury of being the decision maker at a small company. If I was spec'ing gear for an enterprise--I'm pretty sure the hunger for latest and greatest to protect IP from the unwashed masses would prevail.

I use it to protect us. (0)

Anonymous Coward | about 9 months ago | (#46410235)

I have a proxy server at the office which does content filtering and AV scanning on everything that comes in and out of the network. This is purely for security reasons to another layer of prevention for malware so nothing is stored and I don't care about the actual content of the data. I started having to do SSL MIM on our proxy server when some users figured out that if they just put HTTPS in front of whatever they wanted the proxy server wouldn't be able to catch it.

For us it's also clearly stated in our handbook that work equipment and network traffic is subject to periodic monitoring, we do have a separate network for employees that want to connect their personal phones, tablets and laptops which is not filtered but also does not have access back to the production network.

Yes with some exceptions (0)

Anonymous Coward | about 9 months ago | (#46410251)

I have seen organizations implement an SSL proxy like this. I am sure most people don't check to see who the certificate was issue by. The clever thing here is that the certificates are generated on demand by the SSL proxy. The organization would whitelist (to bypass the SSL proxy) some domains(mostly financial institutions). gmail wasn't one that was whitelisted. This organization didn't do it without consent, buried in their acceptable use agreement was the SSL proxy and a method to request a domain get whitelisted.

Paranoia (4, Insightful)

jbmartin6 (1232050) | about 9 months ago | (#46410279)

My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees

A completely baseless assumption. I have worked with several organizations who do this "attack" to protect themselves from malicious traffic. I have not yet seen any that logged content. The legal and regulatory risks in doing this are too high to do this sort of data collection.

Re:Paranoia (1)

tommyatomic (924744) | about 9 months ago | (#46410467)

The legal and regulatory risks in doing this are too high to do this sort of data collection.

Almost every company I have worked for has operated off of the malicious assumption that its easier to violate their employees and issue apologies later. They almost always assume its only wrong if they get caught.

Paranoia is only wrong if it is illogical, irrational or lacks a historical precedent.

So? (0)

Anonymous Coward | about 9 months ago | (#46410293)

If this handle you cannot the job quit.

Assume it (1)

invictusvoyd (3546069) | about 9 months ago | (#46410301)

It's retarded to carry out personal transactions over office hardware. As many have pointed out, once "in" the workplace , you aint got any rights.

ATT (0)

Anonymous Coward | about 9 months ago | (#46410305)

I was setting up an ATT cellular extender, and I didn't look at it real thoroughly but it seemed to do the same thing, I didn't inspect a cert to see if it was the original or not but it was definitely routing all the traffic through a proxy of some sort.

Same here (1)

DeathByLlama (2813725) | about 9 months ago | (#46410311)

Yep, mine does the same thing. Always unnerving to know that others have access to -- what should be -- encrypted data / passwords.

Is there a way to route through cell phone? (0)

Anonymous Coward | about 9 months ago | (#46410325)

I have a Verizon smartphone grandfathered in with unlimited data. Is there a way I could connect it to my work computer via USB and use it for my internet connection rather than the corporate network?

given up (0)

Anonymous Coward | about 9 months ago | (#46410327)

My employer makes it very clear that they monitor everything. There appears to be need for a CA and proxy etc when they have every form of logging under the sun running on all employee machines. For the sake of convenience I have given up on using my phone for banking, personal email etc when it is so much easier to just use my work laptop. I guess I will change all my passwords when I leave.

Yes my former employer General Dynamics does MITM (0)

Anonymous Coward | about 9 months ago | (#46410341)

was funny because overnight they pushed out ca certificates into internet explorer so the users were none the wiser. anyone who had firefox or chrome installed immediately saw what was happening and stopped using the corporate desktop to do anything on the internet. this caused tons of problems, especially working in cyber security a lot of sites like tor and squid and red hats cdn were blocked and or hindered from working properly causing lots of problems in my lab. glad im outta there!

Yes (0)

Anonymous Coward | about 9 months ago | (#46410349)

Big company. They tell us outright that they do it.

Same here (0)

Anonymous Coward | about 9 months ago | (#46410355)

My employer, a big bank, does the exact same thing. Interestingly as you say IE doesn't complain about it but firefox does. Also it's only some sites, google is this way but Twitter for example is just rejected if you try to access it over https.

They do it here, and yes, it's a MITM (0)

Anonymous Coward | about 9 months ago | (#46410365)

It's becoming more and more common

Mobile phone hotspot (0)

Anonymous Coward | about 9 months ago | (#46410369)

What are you doing using THEIR network thinking you have any privacy? Regardless of VPN or not?

When on-site with a customer, I always use my own equipment (laptop, tablet, etc) connected to my own phone's wifi hotspot (or tethered) to connect back to my own business systems.

(Posting as AC because I lost my ~1997 account long ago and can't bear the shame of a new one with a high uid)

How can I check? (1)

suutar (1860506) | about 9 months ago | (#46410373)

I don't know if my company does this. I wouldn't be surprised if they do; many folks have already mentioned reasons why it might be desirable (for them) that aren't malicious.

But I want to know whether it's happening so I can decide if I want to change my behavior. How would I go about checking for such things on a Windows 7 Professional laptop?

In the same boat (0)

Anonymous Coward | about 9 months ago | (#46410389)

Yep--my company does the same thing and because they are attempting to do it "under the radar" it has caused a whole lot of issues and wasted time for many folks trying to "fix" problems it has caused. In several cases it was blocking automated updates for Microsoft Windows, Wordpress, and several Linux distributions because the update software wanted to see the vendor-issued cert.

The NetGear, NetSecure RTM does this (0)

Anonymous Coward | about 9 months ago | (#46410391)

I recently implemented the same thing at my previous company. This is common, useful for the firewall to track things easier; got both sides of the client/server covered. --- genious! Waiting for our ISP's to do the same thing at the ISP level... then we're doomed!

It's pretty common. (0)

Anonymous Coward | about 9 months ago | (#46410393)

What the proxies "Usually" don't re-encrypt are Banks and other financial institutions that contain your PIAA. It's mostly so see what you're doing, breaking any laws while on company property and posting bad comments about the company via HTTPS. Basically the data is there if you get audited or investigated.
So as long as you're clean, there should never be a worry.

Deep Packet Inspection (1)

The_Systech (568093) | about 9 months ago | (#46410397)

it's actually fairly common for any fairly new generation firewall that does Deep Packet Inspection for Intrusion Prevention, Content Filtering, etc. The firewall has to be able to view the data unencrypted to scan it for the "normal" stuff. Nothing overtly hostile in the intent there, just the way it works.

Yes (1)

RobinH (124750) | about 9 months ago | (#46410417)

This is a very common way to solve the problem of "how do we do a virus scan on files coming in through https?" Many organizations run a proxy server for all web requests to be able to filter content, and to do anti-virus checks, but obviously it needs to view the unencrypted content to be able to do a scan. Otherwise any employee could be downloading malicious content straight through your firewall and bypass all the checks you have in place.

Happens in more paranoid outfits (2)

Antony T Curtis (89990) | about 9 months ago | (#46410465)

A previous employer, a game company whose name rhymes with lizard, uses MITM proxy ... All their machines use their custom cert so that their made-up cert shows 'green' on the location box when any user uses a secure web site.

I had the same issue but worse (1)

erroneus (253617) | about 9 months ago | (#46410477)

I worked for a nuclear technology company and they set up a box which did this on the guest network. I threw up all sorts of warnings why this was a bad idea but our network security guy who cared nothing about the businesses and government entities we came into contact with, insisted that this is the way it should be done. Eventually some form of it disappeared while some other aspects remained. But seriously, how do you think the various large utilities and the NRC would feel about their secure traffic being sniffed while their representatives and executives are in the office?

Kinda breaks some trust issues doesn't it?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?