Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Businesses Security The Internet

Ask Slashdot: What's Your Take On HTTPS Snooping? 782

Posted by timothy
from the note-from-the-principal's-office dept.
First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: What's Your Take On HTTPS Snooping?

Comments Filter:
  • by borv (2021802) on Saturday June 16, 2012 @05:08PM (#40346857)
    Chances are they will whitelist any sites that may contain personally identifiable information such as banking sites etc. Most places do not want to get into privacy issues like this. Anything else is fair game. Personal e-mail might be a different story, but then again, in some verticals like finanicials, you should not be accessing personal e-mail anyway, per policy of most financial houses. Personal e-mail and the like are avenues for information to easily leave the firm.
    • by lindi (634828) on Saturday June 16, 2012 @05:10PM (#40346895)

      It's a good idea to not access personal bank account from company computers anyway.

      • by Anonymous Coward on Sunday June 17, 2012 @04:27AM (#40350231)

        It's a good idea to not access personal bank account from company computers anyway.

        Well, yes. So you take a different approach.
        What you do, is access the secured web site of the health care provider your employer gave you. Then, you file a complaint with HR saying that IT refuses to tell you what information, if any, they are snooping out of the sessions, and that you are highly concerned that they are not properly meeting HIPPA requirements for confidential medical information.

      • by Xest (935314) on Sunday June 17, 2012 @05:00AM (#40350369)

        Indeed, I've always just worked on the principle that if I'm doing something on the internet from work, it's more likely someone could be watching.

        If it's something that could thus get me in trouble, or cause problems, I wouldn't do it from work, it's as simple as that.

        Thankfully I've always had jobs where things like reading the news online, using Facebook or whatever are accepted, so I've never found it to be a problem.

        For me it's not even that I believe for a second my employer right now for example would snoop. It's about the fact that it's not a network I control, so I just don't trust it like I do my home network. The same goes for things like airport Wifi, Cybercafes etc. - I don't know the networks well enough to fully trust, so I don't do things on them that require a level of trust.

        So to answer the original question, not, I don't think it's worth leaving your job over, the only reason to leave your job is if you do not like your job (whether it's because of pay, conditions, enjoyability of the work itself or whatever), which is a different issue that takes into account far more factors.

    • by MichaelSmith (789609) on Saturday June 16, 2012 @05:11PM (#40346901) Homepage Journal

      My workplace is pretty open about proxying all https connections and I get the horrors whenever I see a co-worker doing their banking from their desk.

    • by WaywardGeek (1480513) on Saturday June 16, 2012 @05:21PM (#40347025) Journal

      My understanding is that very large companies are doing this to save money rather than to snoop on your https sessions. Companies are saving money by locally caching large data sets from electrically far away branches of the same company. When you https into a a company site in another country, you get that nice all secure indicator, even though your company has a caching server in the middle.

      That said, large companies have Big Brother watching you all the time. My aunt had to get a guy fired for watching porn at work, because that was part of her job. If you're trying to be sneaky, do it competently, or don't do it at all.

      • by Bengie (1121981) on Saturday June 16, 2012 @06:18PM (#40347475)
        On the other side of thing Flame only affected networks designed this way because the HTTPS proxy was claiming all of the data was "trusted" when it was not.

        When a company uses HTTPS proxies, it's just making it so all of the client browsers trust every HTTPS website.

        Yes, HTTPS proxies save money, but so does not using any security.
        • by thermowax (179226) on Saturday June 16, 2012 @10:47PM (#40349033)

          Wrong.

          The https proxy server is trusted as a signing CA. It generates server certs real-time for any requested https content, then retrieves the content for you on the other side- via it's own https session- before sending it back to you. Since the proxy is trusted by your browser, it doesn't complain.

          Without getting into a protracted discussion about x.509 certs and their completely fucked implementation, suffice to say that while the proxy can effectively decrypt your https traffic, noone else can. There's still a reasonable amount of security there.

          Although it depends a great deal on the proxy admin to keep it secure...

      • My understanding is that very large companies are doing this to save money rather than to snoop on your https sessions.

        Yes, there is probably not even one big company that created such a system to soop bank passwords... But do you know everybody that works at IT? Do you know everybody that has access to the proxy servers, to the server rooms (yes, that may include consultants and outsourced people) or that just has enough access to the overall network to stay hidden while owning the proxy?

      • by tukang (1209392)
        I don't understand how they could usefully cache https data. Most https data is going to contain personal information like your bank account balance for example. Caching makes sense when the data is the same for a lot of users - like a slashdot article - and those sets of data are usually not sent over https.
  • Perspectives (Score:5, Informative)

    by gellenburg (61212) <george@ellenburg.org> on Saturday June 16, 2012 @05:09PM (#40346869) Homepage Journal

    Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.

    Data leakage.

    We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.

    We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.

    But your Gmail is fair game.

    • Re:Perspectives (Score:5, Insightful)

      by guruevi (827432) <evi@smok[ ]cube.be ['ing' in gap]> on Saturday June 16, 2012 @05:12PM (#40346909) Homepage

      Data leakage can be done a myriad of other ways. And by the time you actually have analyzed the data (if anyone even looks at the reports after 2 weeks) the damage has already been done.

      • by mindwhip (894744)

        We have similar rules however not only is it fair game with us, accessing (or attempting to access since most are blocked) personal email services, messaging services, logging into web forums, uploading files and a bunch of other risky stuff are grounds for immediate dismissal. We also monitor and store all emails, record random phone calls and other stuff which all staff are made aware of when they join the company.

        This is 100% for data leakage, we don't really care if your sister is having an affair and

        • Re:Perspectives (Score:5, Insightful)

          by cmdrbuzz (681767) <cmdrbuzz@xerocube.com> on Saturday June 16, 2012 @06:38PM (#40347629)

          I hope you are not doing this in the UK... Its a breach of both the Data Protection Act and the Human Rights Act.

          And whilst we (I work for a very large bank in the UK) block email and (lots) of other sites, just accessing (or attempting to) would not be a HR matter. e.g. we block youtube, and the amount of IT sites that include embedded links to videos (that are then blocked by the proxy server) are insane. Its hardly someones fault that it "looks like" they were trying to access a blocked site, when they didn't even know it was embedded in the webpage they meant to access. Same goes for twitter links, Facebook like links etc.

          We are strongly regulated and log lots of things, but I would be concerned by your words of things like "fair game" etc. If it was found that IT (or anyone) looked through a users web history, or emails / phone calls etc without permission from HR, Legal and Director level management, that person would be handed over on a plate to the police.

    • Do you also block SSH traffic and other data that looks like it has already been encrypted through some software (a java applet, if users are not allowed to install their own software). Just curious.

      • ssh doesn't work to external locations from my workplace but curiously, there is no restriction on DNS traffic ;)

      • by DarkOx (621550)

        We decrypt SSH as well. Our equipment will actually go up to several tunnels deep. Yes you do get hostkey warnings.

    • With all due respect, data leakage is a piss-poor excuse to spy on people without their knowledge. These devices and policies work not just to snoop on SSL traffic, but to hide that fact from people browsing SSL-protected sites. I'm sorry, but that's pretty damn scummy and something that is on the level of criminal behavior.

      Personally, I think that transparent SSL interception should be illegal. The transparent aspect of it means that you're not just interested in data leakage, but in surreptitiously sno

  • In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.

  • Do it at home, on your own equipment like the rest of us.

  • by zill (1690130) on Saturday June 16, 2012 @05:13PM (#40346925)
    The fact that you're using IE and isn't allowed to change the certificate store tells me that you don't have admin privileges. If that's case, then your company can already log your every key stroke, so I don't see how HTTPS packet inspection is any more intrusive.

    I just avoid doing banking or sensitive transactions on computers that isn't administered by myself or someone that I trust.
  • Don't work there (Score:3, Insightful)

    by guruevi (827432) <evi@smok[ ]cube.be ['ing' in gap]> on Saturday June 16, 2012 @05:14PM (#40346943) Homepage

    If they don't trust you, you shouldn't trust them. If they're trying to snoop on you for whatever reason, they think you're a criminal. Would you work for the RIAA? Would you work for a boss who every time you come in he says "you're a criminal" and then proceeds to look over your shoulder all day? No and you shouldn't accept such behavior from employers.

  • by MacTO (1161105) on Saturday June 16, 2012 @05:15PM (#40346947)

    There are various reasons why you should not be using your employers computers for personal use. One is that you are using company resources for non-business purposes. And that is something that you don't do unless you have your boss' blessing.

  • illegal (Score:4, Interesting)

    by chrb (1083577) on Saturday June 16, 2012 @05:15PM (#40346949)
    I think that this may well be illegal, because even if you consent, the server at the other side of the connection hasn't consented. That means that at least one party to the communication is having their encrypted data intercepted and decrypted by a third party without their knowledge or consent. Wiretap laws apply to both communicating parties. Not aware of any case law, someone needs to actually Sue cisco bluecoat or one of the other ssl intercepting proxy makers to establish legality.
  • by Anonymous Coward on Saturday June 16, 2012 @05:16PM (#40346953)

    Just do your banking over your phone's carrier network. Your employer can't go there (can they?)

  • Controll of egress (Score:4, Informative)

    by DarkOx (621550) on Saturday June 16, 2012 @05:16PM (#40346955) Journal

    You can't be secure unless you control your egress. If you just let https streams go anywhere with no visibility into their content you might as well just set the firewall to allow all out bound connections. If there is ANY concern about information as an asset, you must intercept and decrypt https.

    Your company more than likely has a policy that any use of their equipment is supposed to be for job related purposes, I don't think regular employees should have any expectation you are not watching everything they do on the PC provided by the company.

    Usually the certificates are pushed through group policy, anyone else who shows up with their own device or other companies property will get a certificate warning, if they look at the certificate its going to show it was signed by your company. They can make an informed decision about what they want to do knowing they are being watched. So I don't see a problem there.

    One thing that gets over looked with SSL intercept is YOU become responsible for the forward authentication and encryption between your proxy since the client now has no opportunity to verify the certificate itself. So you HAD BETTER BE DOING revocation checks and making sure the proxy has a sane list of trusted roots, and serve clients some kinda error page if you can't trust the certificate.

    Don't quit you job. Deal with the fact that with all the spy ware and things like flame going on this is what business must do to protect themselves. Do you banking/medical correspondence/etc at home.

  • by shanec (130923) on Saturday June 16, 2012 @06:07PM (#40347389)

    I ran into this with a customer of one of my clients recently. The insurance company was using a setup from Websense to snoop on all HTTPS traffic. As best as I could tell, they were snooping ALL traffic (banking, healthcare included), not just "safe" sites.

    Surely this breaks privacy laws in numerous instances. HIPAA? Banking laws? Shoot, there's a federal law that could make snooping in on your NetFlicks traffic (video rentals) illegal. Ironically, if SOPA/PIPA had passed, HTTPS snooping would have been legal.

    As for the moral aspect of this, and all the people that say "you shouldn't do personal stuff at work," a few points to keep in mind. 1) Only the IT staff at this company new what was going on. No one outside the IT department could find any reference, or notification. 2) This was REQUIRED on all home PC's that utilized their VPN network (kinda shoots down doing your home stuff at home). 3) From what I was told by their IT staff (remember I was a 3rd party, trying to get our networks connections to work), the IT staff regularly "audited" HTTPS traffic. That means someone in-house was regularly looking at bank account information, and health care information of their fellow employees, and they weren't making this known to the general population within the company.

    I tried to get some main stream press attention on this topic a while back. No one would bite.

  • by ImprovOmega (744717) on Saturday June 16, 2012 @08:43PM (#40348405)
    We do something similar where I work. While it's theoretically possible to abuse this and snoop on personal https traffic, it's not worth the time. You are not interesting, your facebook posts are not worth an admin's time. Your personal banking information is not worth the effort to extract. Every potentially useful bit of private information that could harm you being protected by https was already given freely to the company anyway - SSN, Bank account for direct deposit, address, contact info, mother's maiden name, etc. You should be *vastly* more worried about the DBA's than the network admins. And again, you're not important enough for them to mess with it either.

    Now, you should still use https at home because maybe some bigger criminal enterprises could make use of unprotected CC numbers or something (assuming they haven't already pwned your box) - but as far as your employer is concerned, there is nothing to fear from an https transparent proxy.

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.

Working...