Ask Slashdot: What's Your Take On HTTPS Snooping? 782
First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"
Perspectives (Score:5, Informative)
Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.
Data leakage.
We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.
We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.
But your Gmail is fair game.
Zoals de waard is, vertrouwt hij zijn gasten (Score:5, Informative)
In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.
Bring your own network to work (Score:3, Informative)
Just do your banking over your phone's carrier network. Your employer can't go there (can they?)
Controll of egress (Score:4, Informative)
You can't be secure unless you control your egress. If you just let https streams go anywhere with no visibility into their content you might as well just set the firewall to allow all out bound connections. If there is ANY concern about information as an asset, you must intercept and decrypt https.
Your company more than likely has a policy that any use of their equipment is supposed to be for job related purposes, I don't think regular employees should have any expectation you are not watching everything they do on the PC provided by the company.
Usually the certificates are pushed through group policy, anyone else who shows up with their own device or other companies property will get a certificate warning, if they look at the certificate its going to show it was signed by your company. They can make an informed decision about what they want to do knowing they are being watched. So I don't see a problem there.
One thing that gets over looked with SSL intercept is YOU become responsible for the forward authentication and encryption between your proxy since the client now has no opportunity to verify the certificate itself. So you HAD BETTER BE DOING revocation checks and making sure the proxy has a sane list of trusted roots, and serve clients some kinda error page if you can't trust the certificate.
Don't quit you job. Deal with the fact that with all the spy ware and things like flame going on this is what business must do to protect themselves. Do you banking/medical correspondence/etc at home.
Re:They don't enforce snooping on everything (Score:1, Informative)
You are correct about the whitelisting of banking, healthcare and other sites that require SSL but should not be snooped on. Most vendors ssl inspection products contain pre-configured rules that stop SSL inspection being applied to sites that should not be snooped on such as banking sites.
However for DLP to work correctly, you must have SSL inspection setup or you cant intercept data being snuck off via P2P messaging (MSN, Skype etc..) or via Gmail and alike.
at the end of the day, if you have nothing to hide because you are doing your job, whats the big deal?
Re:Expensive (Score:4, Informative)
use your phone as a local wifi hotspot
This would require me to subscribe to a plan with tethering, which is still luxury-priced in the United States market.
No, it just requires that you root your android device.
Man-In-The-Middle Attack, let's call it what it is (Score:3, Informative)
I ran into this with a customer of one of my clients recently. The insurance company was using a setup from Websense to snoop on all HTTPS traffic. As best as I could tell, they were snooping ALL traffic (banking, healthcare included), not just "safe" sites.
Surely this breaks privacy laws in numerous instances. HIPAA? Banking laws? Shoot, there's a federal law that could make snooping in on your NetFlicks traffic (video rentals) illegal. Ironically, if SOPA/PIPA had passed, HTTPS snooping would have been legal.
As for the moral aspect of this, and all the people that say "you shouldn't do personal stuff at work," a few points to keep in mind. 1) Only the IT staff at this company new what was going on. No one outside the IT department could find any reference, or notification. 2) This was REQUIRED on all home PC's that utilized their VPN network (kinda shoots down doing your home stuff at home). 3) From what I was told by their IT staff (remember I was a 3rd party, trying to get our networks connections to work), the IT staff regularly "audited" HTTPS traffic. That means someone in-house was regularly looking at bank account information, and health care information of their fellow employees, and they weren't making this known to the general population within the company.
I tried to get some main stream press attention on this topic a while back. No one would bite.
Re:They don't enforce snooping on everything (Score:3, Informative)
Re:They don't enforce snooping on everything (Score:5, Informative)
When a company uses HTTPS proxies, it's just making it so all of the client browsers trust every HTTPS website.
Yes, HTTPS proxies save money, but so does not using any security.
Re:Perspectives (Score:4, Informative)
I can't speak for Gellenburg, but you should not be sending emails in the first place.
Email is:
1) Freaking horrible for data transfer. It was quite simply not designed for it. Everything has to be base64 encoded (blows up file size) and jammed into the message itself. It should be a file manifest and separate connections made once the message is approved for delivery/routing, but alas, email is very old.
2) Not designed for security in the first place. Far too open by default in that you can send to anyone.
3) No authentication is really possible of the recipient.
4) No reliable standards for delivery and presentation.
It is much better to bring the customer to you via a secured web portal. USAA is a good example. They refused, and were not even capable, of emailing me or faxing me anything sensitive. If I needed something it was provided as a downloadable document that I could retrieve on demand.
It is the job of IT to block your ability to send sensitive information via email, but it is also their job to provide you with tools to do yours. Your concern about a time crunch should have been a non-issue.
Re:Trusting them as root CA doesnt mean that... (Score:5, Informative)
I'd suggest you look up Man in the Middle attacks (because thats what this is)...
Your browser will /think/ it is connecting to www.securesite.com but its actually connecting to www.companyproxy.com which has issued a (fake / self generated on the fly) certificate for securesite.com and the proxy server then connects itself to the site you were originally attempting to access.
So you think its
You ==> Secure Site
but its actually
You (encrypted to) ==> Proxy ==> Secure Site.
No need for the other endpoints private key at all.
MITM attacks... Google it!
Re:They don't enforce snooping on everything (Score:5, Informative)
We're looking for the minority because those are the ones that are going to cost the company money. The legal costs in defending a single hostile workplace complaint suit can easily exceed the cost of the monitoring system, and the company faces even greater loses if they lose the suit. Workplace internet monitoring has become so commonplace that if we are not doing it, then that shows that we're not taking prudent measures to prevent abuse making it harder to defend against a lawsuit. If you don't like it, then talk to your legislators and get a law passed prohibiting workplace internet monitoring *and* shielding employers from litigation based on improper internet use by employees.
Believe me, your IT department doesn't want to monitor your internet use anymore than you do, but we don't often get to say "no" to projects when it comes down to shielding the company from risk.
But nowadays, smartphones are so common and powerful that there's really no excuse for using your employer's network for anything private - I don't even check my personal email through work's network any more, I just read it on my phone. I don't want them to read it, so I keep my personal traffic off their network.
So rather than complain that the company is looking over your shoulder when you're using their computer and their network, just use your own.
Re:They don't enforce snooping on everything (Score:5, Informative)
Wrong.
The https proxy server is trusted as a signing CA. It generates server certs real-time for any requested https content, then retrieves the content for you on the other side- via it's own https session- before sending it back to you. Since the proxy is trusted by your browser, it doesn't complain.
Without getting into a protracted discussion about x.509 certs and their completely fucked implementation, suffice to say that while the proxy can effectively decrypt your https traffic, noone else can. There's still a reasonable amount of security there.
Although it depends a great deal on the proxy admin to keep it secure...
Re:They don't enforce snooping on everything (Score:5, Informative)
If you want to get fired for circumventing company network policy there are less laborious ways of doing it.
Re:They don't enforce snooping on everything (Score:5, Informative)
When your job is no more than book-keeping at Joe's Garage you can pull this off. If you work in an organization of any size with measurable risk, then if you pull this stunt you will be escorted to the door. If you do not believe me, then I suggest your friendly search engine might help you, although the same has been stated on slashdot many many times.
Re:They don't enforce snooping on everything (Score:2, Informative)
It might be worth trying, but it doesn't have the legal power you think it does. I work in healthcare and I read the entire law. HIPAA restrictions only apply to actual health care providers and to a lesser extent their business partners. It doesn't have any effect on most employers. This is one of the biggest weaknesses in that law - although it's generally a well written law.
There may be other legal reasons that this could cause problems for the company though. Contact a lawyer if you can.