Ask Slashdot: What's Your Take On HTTPS Snooping? 782
First time accepted submitter jez9999 writes "I recently worked for a relatively large company that imposed so-called transparent HTTPS proxying on their network. In practice, what this means is that they allow you to use HTTPS through their network, but it must be proxied through their server and their server must be trusted as a root CA. They were using the Cisco IronPort device to do this. The "transparency" seems to come from the fact that they tend to install their root CA into Internet Explorer's certificate store, so IE won't actually warn you that your HTTPS traffic may be being snooped on (nor will any other browser that uses IE's cert store, like Chrome). Is this a reasonable policy? Is it worth leaving a job over? Should it even be legal? It seems to me rather mad to go to huge effort to create a secure channel of communication for important data like online banking, transactions, and passwords, and then to just effectively hand over the keys to your employer. Or am I overreacting?"
They don't enforce snooping on everything (Score:5, Interesting)
Re:They don't enforce snooping on everything (Score:5, Insightful)
It's a good idea to not access personal bank account from company computers anyway.
Re:They don't enforce snooping on everything (Score:5, Interesting)
It's a good idea to not access personal bank account from company computers anyway.
Well, yes. So you take a different approach.
What you do, is access the secured web site of the health care provider your employer gave you. Then, you file a complaint with HR saying that IT refuses to tell you what information, if any, they are snooping out of the sessions, and that you are highly concerned that they are not properly meeting HIPPA requirements for confidential medical information.
Re:They don't enforce snooping on everything (Score:4, Insightful)
Indeed, I've always just worked on the principle that if I'm doing something on the internet from work, it's more likely someone could be watching.
If it's something that could thus get me in trouble, or cause problems, I wouldn't do it from work, it's as simple as that.
Thankfully I've always had jobs where things like reading the news online, using Facebook or whatever are accepted, so I've never found it to be a problem.
For me it's not even that I believe for a second my employer right now for example would snoop. It's about the fact that it's not a network I control, so I just don't trust it like I do my home network. The same goes for things like airport Wifi, Cybercafes etc. - I don't know the networks well enough to fully trust, so I don't do things on them that require a level of trust.
So to answer the original question, not, I don't think it's worth leaving your job over, the only reason to leave your job is if you do not like your job (whether it's because of pay, conditions, enjoyability of the work itself or whatever), which is a different issue that takes into account far more factors.
Re:They don't enforce snooping on everything (Score:5, Informative)
If you want to get fired for circumventing company network policy there are less laborious ways of doing it.
Re:They don't enforce snooping on everything (Score:5, Informative)
When your job is no more than book-keeping at Joe's Garage you can pull this off. If you work in an organization of any size with measurable risk, then if you pull this stunt you will be escorted to the door. If you do not believe me, then I suggest your friendly search engine might help you, although the same has been stated on slashdot many many times.
Re:They don't enforce snooping on everything (Score:4, Funny)
I agree. And just for extra measure, don't do personal banking from your home PC unless it's housed in a windowless room with concrete walls that are least 4 inches thick.
Dude, that means 80% of the /. user base is covered.
Re:They don't enforce snooping on everything (Score:5, Interesting)
My workplace is pretty open about proxying all https connections and I get the horrors whenever I see a co-worker doing their banking from their desk.
Re:They don't enforce snooping on everything (Score:5, Interesting)
My understanding is that very large companies are doing this to save money rather than to snoop on your https sessions. Companies are saving money by locally caching large data sets from electrically far away branches of the same company. When you https into a a company site in another country, you get that nice all secure indicator, even though your company has a caching server in the middle.
That said, large companies have Big Brother watching you all the time. My aunt had to get a guy fired for watching porn at work, because that was part of her job. If you're trying to be sneaky, do it competently, or don't do it at all.
Re:They don't enforce snooping on everything (Score:5, Informative)
When a company uses HTTPS proxies, it's just making it so all of the client browsers trust every HTTPS website.
Yes, HTTPS proxies save money, but so does not using any security.
Re:They don't enforce snooping on everything (Score:5, Informative)
Wrong.
The https proxy server is trusted as a signing CA. It generates server certs real-time for any requested https content, then retrieves the content for you on the other side- via it's own https session- before sending it back to you. Since the proxy is trusted by your browser, it doesn't complain.
Without getting into a protracted discussion about x.509 certs and their completely fucked implementation, suffice to say that while the proxy can effectively decrypt your https traffic, noone else can. There's still a reasonable amount of security there.
Although it depends a great deal on the proxy admin to keep it secure...
Re: (Score:3)
Yes, there is probably not even one big company that created such a system to soop bank passwords... But do you know everybody that works at IT? Do you know everybody that has access to the proxy servers, to the server rooms (yes, that may include consultants and outsourced people) or that just has enough access to the overall network to stay hidden while owning the proxy?
Re:They don't enforce snooping on everything (Score:5, Funny)
But do you know everybody that works at IT?
Not since the call center was outsourced to India...
Re: (Score:3)
Re:They don't enforce snooping on everything (Score:5, Insightful)
I think you misunderstand the GP's point. You're using your employer's resources and on the clock, so you really shouldn't be doing things your employer wouldn't endorse, or at least approve of. What you do on your own time is damn well your own business, but what you do at work isn't.
Re: (Score:3, Informative)
Re:They don't enforce snooping on everything (Score:4, Insightful)
You're right there is a problem you are using company hardware for personal use. They have to give you a lunch break, They don't have to give you Internet access for personal use. As long as they warn you of what they are doing there is no issue in my opinion
Re:They don't enforce snooping on everything (Score:4, Interesting)
But take my situation right now, for several weeks I'm at a clients remote location, several 100s. of kilometres from the land line or cell tower and we not only want but need and are specifically allowed to do some online banking etc. through their network, would I find out a password had been breached I'd not hesitate a split second to sue the company for being a partner in such an event.
Yes I know I'm under EU jurisdiction where consumers come before companies but non the less...
Re:They don't enforce snooping on everything (Score:5, Insightful)
Fair enough. I get a half hour break for lunch, during which I have been informed I may use the company internet connection. If they are snooping my https details during that period, we have a problem captain.
Browse your porn (or whatever it is you do that you don't want your employer watching) from your smartphone. Don't use your employer's network if you don't want them to watch what you do.
At my company, we tell employees that they are free to use computers for personal use on breaks, but we also tell them that we monitor usage and recommend that they not use our network for anything of a private or personal nature.
Re:They don't enforce snooping on everything (Score:4, Insightful)
They can handle it.
Let's go back in time to 1980, and pretend we're using the company phone to talk to a friend during lunch.
Do you think the company didn't know who you were communicating with?
Do you think they didn't have the ability to listen in without you knowing?
Of course they had those abilities, and some people did get fired over making personal calls.
Don't like the policy? There's a pay phone in the lobby.
Now, back to 2012. Calls are replaced with web and email.
Why the fuck should they change? It's their network, they get the ability to see who you are talking to and what you are saying. The pay phone was replaced with your smartphone, don't like their policy, use your own phone.
Stop whining about a perk. You get them on their terms.
Re: (Score:3)
np.. then I want to see equal protections from employer encroachment on employees when they're outside the office.. these days, most contracts try to take ownership of your 'off duty' output. to me, that's no different than using company resources for personal use.
Re: (Score:3)
not working is a false choice. at the moment, most employed people don't have a choice. they're lucky they have the job they have. employees deserve the same property rights protections for their time and intellectual output you claim their employers should have. This is what defines the difference between employee and slave.
Re:They don't enforce snooping on everything (Score:5, Insightful)
If personal use of company resources is a problem, it will show up in the employee's performance. If the employee's performance is not impacted, then why the fuck does it matter?
Do you think the company didn't know who you were communicating with?
Do you think they didn't have the ability to listen in without you knowing?
Of course they had those abilities, and some people did get fired over making personal calls.
I'm sure employers could, but I find it hard to believe that such routine monitoring would have been accepted for the above reasons. And were the employees fired because of the snooping on their phone calls, or because the employees became lax in their duties as a result of making personal phone calls? Actually, I'm not even sure how one could go about proving either side, since given the entire bloody planet I'm sure we could each find hundreds of cases to support our side.
Stop whining about a perk. You get them on their terms.
Careful, that's dangerously close to "you are not a starving kid in Africa, therefore you have no right to complain" thinking.
Re:They don't enforce snooping on everything (Score:5, Interesting)
No.
Fuck 'em if they can't handle the idea people have lives outside of work and sometimes need to deal with those lives.
Morally bankrupt employers who cannot handle the fact that their employees won't spend every second labouring deserve nothing more than contempt.
Which is still more respect than subservient scum like you should be shown.
At my employer, we don't really care if you're using Facebook or other "personal use" on your lunch break or occasionally during the day, but where we draw the line is excessive use or browsing porn because the company has a real liability if someone is browsing porn at their desk, and an employee sees it and makes claim for being in a 'hostile workplace'.
Also, we use simple heuristics to help prevent employees from inadvertently (or purposely) leaking confidential data (credit card numbers, SSN's, etc). While it won't stop a determined employee from taking the data with a USB stick (or encrypting it in a zip file), we've caught a few employees sending data to a personal email account so they can work on it from home. This too is a liability to the company since we're responsible for data breaches.
If you're using facebook for an hour a day, no one cares. But if you're using social networking sites for 6 hours/day, you're going to come under more scrutiny. Just like you'd come under scrutiny if you're a real estate agent spending hours/day talking to clients (which recently happened when a project manager was literally making over 4 hours of calls/day on a company phone, including during business hours and we found out he had a real estate business on the side)
No one is telling you that you can't post on your kid's facebook page during the day, just don't spend hours/day using facebook (and don't try to view adult content at work - hanging a racy picture on your office door will get you a visit with HR, as will having the same racy picture on your monitor)
We don't hide our monitoring policies, everyone signs a statement saying that they read and understand the policy. IT doesn't even look at the reports, they go straight to HR, and they are the ones that decide who is abusing the "incidental personal use" policy. Few companies of substantial size can afford to *not* do monitoring.
Call me a subservient scum if you want to, but if people could be trusted to not abuse personal internet use, we wouldn't have to monitor it. The vast majority of employees don't abuse it, but there's that small percentage that ruin it for everyone.
Re: (Score:3)
At my employer, we don't really care if you're using Facebook or other "personal use" on your lunch break or occasionally during the day, but where we draw the line is excessive use or browsing porn because the company has a real liability if someone is browsing porn at their desk, and an employee sees it and makes claim for being in a 'hostile workplace'.
Pffft... that's why I only browse tasteful but fully nude *art* while at work.
Re:They don't enforce snooping on everything (Score:5, Informative)
We're looking for the minority because those are the ones that are going to cost the company money. The legal costs in defending a single hostile workplace complaint suit can easily exceed the cost of the monitoring system, and the company faces even greater loses if they lose the suit. Workplace internet monitoring has become so commonplace that if we are not doing it, then that shows that we're not taking prudent measures to prevent abuse making it harder to defend against a lawsuit. If you don't like it, then talk to your legislators and get a law passed prohibiting workplace internet monitoring *and* shielding employers from litigation based on improper internet use by employees.
Believe me, your IT department doesn't want to monitor your internet use anymore than you do, but we don't often get to say "no" to projects when it comes down to shielding the company from risk.
But nowadays, smartphones are so common and powerful that there's really no excuse for using your employer's network for anything private - I don't even check my personal email through work's network any more, I just read it on my phone. I don't want them to read it, so I keep my personal traffic off their network.
So rather than complain that the company is looking over your shoulder when you're using their computer and their network, just use your own.
Re:They don't enforce snooping on everything (Score:4, Insightful)
You are vastly confused here. There are many points conflated in your post.
1) Employer's policy about what is allowed using their resources
2) Employer's requirements about how much time you spend doing productive work
2) Monitoring employees' activities
3) Implementing a man-n-the-middle attack (transparent HTTPS)
The first three are off topic here - whether what you are doing is allowed or not doesn't matter. "Don't use your employer's network if you don't want them to watch what you do." I don't see how it could be any simpler. They provide the resources and a paycheck. If you don't like their policies, quit. If you can't quit, you're stuck.
If you have something pop up that will interrupt your work, you have to make that decision regardless of whether technology is involved. That's the part about having a life outside of work.
If you do decide you have to take care of it, and it involves an internet connection, don't expect that monitoring will be turned off. If you don't accept that risk, you have the traditional solutions. Call instead of using a website, ask for emergency time off, quit, or whatever else you can think of to avoid being snooped.
Re:They don't enforce snooping on everything (Score:5, Interesting)
I'm not sure it's as simple as you state.
The post deals with the fact that https, considered secure and private, are in fact in the cited configuration, an open book. If you use a website for personal use, you have zero expectation of privacy of information that the employer can see or filter.
Your bank balance, your insurance information, what you bought with paypal, it's all revealed. Essentially, they see you through your clothes using a metaphor. They really don't have that right. It's sleazy, like putting a camera in the washroom or company showers.
Sure, you can decide not to use the company restroom. Or its showers. You can decide not to work there. But which of the two is reasonable? I posit that neither is. You have an expectation of privacy. Https and ssl/tls sites ought to be either be white/blacklisted or the user allowed the courtesy and modesty of privacy. To not do so, IMHO, is both inhumane and immoral.
Re:They don't enforce snooping on everything (Score:4, Insightful)
too bad many employers don't show their employees the same respect when employees are on their own time with their own resources.
Perspectives (Score:5, Informative)
Considering that I actually do this (Internet filtering) for a living for a medium-sized company let me tell you why we do it.
Data leakage.
We're concerned about an employee either accidentally or maliciously transferring customer data or other sensitive data to an unauthorized party.
We're also acutely aware of the liabilities and sensitivities imposed by us breaking the SSL channel, inspecting the payload, and then re-encrypting it on our employees behalf, which is why we go out of the way NOT to break the chain for sites that are healthcare or financial related.
But your Gmail is fair game.
Re:Perspectives (Score:5, Insightful)
Data leakage can be done a myriad of other ways. And by the time you actually have analyzed the data (if anyone even looks at the reports after 2 weeks) the damage has already been done.
Re: (Score:3)
We have similar rules however not only is it fair game with us, accessing (or attempting to access since most are blocked) personal email services, messaging services, logging into web forums, uploading files and a bunch of other risky stuff are grounds for immediate dismissal. We also monitor and store all emails, record random phone calls and other stuff which all staff are made aware of when they join the company.
This is 100% for data leakage, we don't really care if your sister is having an affair and
Re:Perspectives (Score:5, Insightful)
I hope you are not doing this in the UK... Its a breach of both the Data Protection Act and the Human Rights Act.
And whilst we (I work for a very large bank in the UK) block email and (lots) of other sites, just accessing (or attempting to) would not be a HR matter. e.g. we block youtube, and the amount of IT sites that include embedded links to videos (that are then blocked by the proxy server) are insane. Its hardly someones fault that it "looks like" they were trying to access a blocked site, when they didn't even know it was embedded in the webpage they meant to access. Same goes for twitter links, Facebook like links etc.
We are strongly regulated and log lots of things, but I would be concerned by your words of things like "fair game" etc. If it was found that IT (or anyone) looked through a users web history, or emails / phone calls etc without permission from HR, Legal and Director level management, that person would be handed over on a plate to the police.
Re:Perspectives (Score:4, Interesting)
Re:Perspectives (Score:4, Insightful)
Yup, as Lar's said, its a criminal act (snooping on peoples private communications is not allowed. RIPA and the Computer Misuse Act would be the first two that come to mind).
I've seen what happened when a (non-IT) user put a keyboard logger (one of those hardwired plug in ones) into a managers keyboard to capture her password, then try and use her access to authorize a 20k loan payment. Police + FSA = Carnage. Marched out in hand-cuffs...
Re: (Score:3)
It gets modded up because it doesn't *matter* what your company policy says on this matter as it *cannot* trump the *law*. If company policy said that you would consent to being incarcerated, flogged or executed at their discretion that wouldn't be legally valid either.
Some of us live in countries that *do* have laws pertaining to privacy etc. That you don't live in a likewise enlightened nation, isn't our fault.
Re:Perspectives (Score:4, Informative)
I can't speak for Gellenburg, but you should not be sending emails in the first place.
Email is:
1) Freaking horrible for data transfer. It was quite simply not designed for it. Everything has to be base64 encoded (blows up file size) and jammed into the message itself. It should be a file manifest and separate connections made once the message is approved for delivery/routing, but alas, email is very old.
2) Not designed for security in the first place. Far too open by default in that you can send to anyone.
3) No authentication is really possible of the recipient.
4) No reliable standards for delivery and presentation.
It is much better to bring the customer to you via a secured web portal. USAA is a good example. They refused, and were not even capable, of emailing me or faxing me anything sensitive. If I needed something it was provided as a downloadable document that I could retrieve on demand.
It is the job of IT to block your ability to send sensitive information via email, but it is also their job to provide you with tools to do yours. Your concern about a time crunch should have been a non-issue.
Re: expectations of privacy at work (Score:3)
There's quite a big difference between "covers most of the exits" and "completely worthless".
First off, physical security is entirely beyond the scope of the OP's problem. If you want to secure your digital assets, you are going to require both an electronic and a physical policy because data can take either shape when leaving the building. The limitations of one side really have no bearing
Re:Perspectives (Score:5, Funny)
I had no problem working there, because it was all justified. I also would definitely quit a company if I found out they where running an SSL proxy without telling this upfront. I also might quit a company which is upfront about it but doesn't have a proper justification for measures like that.
Security also is a compromise. Most companies don't need that sort of security, they just need protection against stupid people doing stupid things. Depending on what you're trying to accomplish and what you're protecting an SSL proxy can be the right thing to do. But indeed, you shouldn't believe it will protect you against every possible data leak.
Re: (Score:3)
Do you also block SSH traffic and other data that looks like it has already been encrypted through some software (a java applet, if users are not allowed to install their own software). Just curious.
Re: (Score:3)
ssh doesn't work to external locations from my workplace but curiously, there is no restriction on DNS traffic ;)
Re: (Score:3)
We decrypt SSH as well. Our equipment will actually go up to several tunnels deep. Yes you do get hostkey warnings.
Re:Perspectives (Score:5, Insightful)
I think the important point to take home is that while there are ways to get around these transparent proxies that they cannot ultimately defeat, it is surely going to be logged and likely set off an alarm bell somewhere that you're tunneling garbage or seemingly-random data. Ultimately, the result of a proxied SSL session should be lots of recognizable text, maybe some graphics, and possibly email attachments. If what they see is something else, then it's clear someone is trying to rig the system.
You're on company property using their resources, they're free to kick you out once they see you're trying to hide information from them.
Of course, if the point is to STOP all leaks, then obviously they cannot do that as your method would allow you to leak information before you can be stopped. But you will be flagged.
Re: (Score:3)
Not sure how you are doing but we do the SSL negation with the remote peer first than use the information from their certificate to generate and sign a CSR on the fly from our CA. No need for wild cards.
Re: (Score:3)
That's no excuse (Score:3)
With all due respect, data leakage is a piss-poor excuse to spy on people without their knowledge. These devices and policies work not just to snoop on SSL traffic, but to hide that fact from people browsing SSL-protected sites. I'm sorry, but that's pretty damn scummy and something that is on the level of criminal behavior.
Personally, I think that transparent SSL interception should be illegal. The transparent aspect of it means that you're not just interested in data leakage, but in surreptitiously sno
Re: (Score:3)
For my Company, we're looking for patterns indicative of SSNs, credit card numbers, and certain keywords such as "confidential", "proprietary", or other keywords that refer to sensitive internal projects or other sensitive company information.
And Googling for information isn't "data leakage", because your activity is bringing information INTO the company (from the results of your Google search) so we don't care a lot about that.
Re: (Score:3, Insightful)
There is NO expectation of privacy on a private network.
Re:Perspectives (Score:5, Insightful)
Bullshit. There are laws against companies doing things like installing hidden cameras in the employee restrooms. This is the technological equivalent and should be just as illegal. I don't mind monitoring data flow. Although I think blocking things such as Gmail is stupid, at least the company is being up front about what they're doing.
But transparent SSL interception is deliberately posing to someone that they are communicating via a private channel when in fact they are not. It's just as egregious as telling employees, "You can change clothes in here, there aren't any cameras," when in fact there are and they're recording. It should be illegal, period.
This is the shit that criminals do, and any company that engages in this behavior should be thought of exactly in that light.
Re: (Score:3)
Not saying I disagree with anything you've written, but the courts have stated an employee has an implicit expectation of privacy while reading their blackberry sitting on the toilet.
However, they have none while they're surfing the net.
There is a distinct difference than an employer installing a video camera in the bathrooms than installing technical controls to fulfill their fiduciary and regulatory responsibilities to protect their trade secrets and other company data.
Re:Perspectives (Score:5, Interesting)
LOL. We're not injecting anything.
We've got a Microsoft Enterprise PKI.
Our own Root CA, Policy CA, and Issuing CA.
All of the machines that are joined to our domain are company-owned workstations and servers.
The Local & Personal Certificate Stores are controlled through Group Policy.
All of our workstations have our internal root certificate already on the machines, and all of our workstations and servers explicitly trust our root certificate.
Again: Our stuff. Our network. Our data. You have no privacy.
If employees stopped conducting themselves like they thought they had privacy while they were surfing the net while they were at work they wouldn't be so shocked and amazed when they find out they have none.
Re:Perspectives (Score:4, Insightful)
So I'll ask yet again, why are you so averse to the warning that the SSL connection that the employees are using isn't secure?
Our stuff. Our network. Our data. You have no privacy
Again, with the "Our building. Our restroom. Our cameras. You have no privacy." rationale, apparently.
Re: (Score:3, Interesting)
Even the Department of Defense is not as fascist as you/your company. Just wow.
People on US Military networks do have an expectation of privacy. Go poking through someone's email sometime without law enforcement and a ranking officer in the chain of command and see how much time you spend in prison for that. Well, you might not go to prison, depending on the situation, but you will be in a serious world of hurt.
It is the same with files on shares. (There are exceptions for seeing private data in the course
Re:Perspectives (Score:5, Interesting)
sigh... *whoosh!* There goes the point, right over your head. Let me try yet again.
By taking deliberate measures to thwart browsers from popping up warnings that an encrypted communications channel is compromised, companies that use transparent SSL interception techniques are misrepresenting to you that you are on a secure communications channel when in effect you are not.
Or put another way, it's settled law that the company owns all equipment in its buildings, rooms, cameras, etc, at least in the USA. Yet if they install said cameras secretly in the restroom, they can and have been successfully sued for breach of privacy. Your employer does not have unmitigated rights to monitor you. If you're using an open communication channel, that's one thing. But if they are misrepresenting a secured channel (i.e. an HTTPS connection) to you when they are actually spying on you, that's and entirely different matter.
Argue the "no expectation of privacy" argument all you want, but the HTTPS protocol carries an inherent expectation of privacy. If it didn't, banks and other financial institutions wouldn't use it, duh. Taking steps to transparently thwart it is the technological equivalent of installing cameras in a restroom.
And no, it is not settled law, unless you can point to cases that have been fought about SSL interception.
Re: (Score:3)
The owner of the equipment says it's OK, the user is an employee with no right to privacy on the employers' machine.
Re: (Score:3)
Zoals de waard is, vertrouwt hij zijn gasten (Score:5, Informative)
In Dutch we have a saying roughly translated to: He who distrust others, is probably untrustworthy.
Re:Zoals de waard is, vertrouwt hij zijn gasten (Score:4, Insightful)
Re: (Score:3)
You work for the TSA I assume?
Don't do personal stuff requiring privacy at work (Score:3)
Do it at home, on your own equipment like the rest of us.
No worst than key loggers (Score:5, Insightful)
I just avoid doing banking or sensitive transactions on computers that isn't administered by myself or someone that I trust.
Don't work there (Score:3, Insightful)
If they don't trust you, you shouldn't trust them. If they're trying to snoop on you for whatever reason, they think you're a criminal. Would you work for the RIAA? Would you work for a boss who every time you come in he says "you're a criminal" and then proceeds to look over your shoulder all day? No and you shouldn't accept such behavior from employers.
Leave your job, no. Do your job, yes. (Score:3, Insightful)
There are various reasons why you should not be using your employers computers for personal use. One is that you are using company resources for non-business purposes. And that is something that you don't do unless you have your boss' blessing.
illegal (Score:4, Interesting)
Bring your own network to work (Score:3, Informative)
Just do your banking over your phone's carrier network. Your employer can't go there (can they?)
Controll of egress (Score:4, Informative)
You can't be secure unless you control your egress. If you just let https streams go anywhere with no visibility into their content you might as well just set the firewall to allow all out bound connections. If there is ANY concern about information as an asset, you must intercept and decrypt https.
Your company more than likely has a policy that any use of their equipment is supposed to be for job related purposes, I don't think regular employees should have any expectation you are not watching everything they do on the PC provided by the company.
Usually the certificates are pushed through group policy, anyone else who shows up with their own device or other companies property will get a certificate warning, if they look at the certificate its going to show it was signed by your company. They can make an informed decision about what they want to do knowing they are being watched. So I don't see a problem there.
One thing that gets over looked with SSL intercept is YOU become responsible for the forward authentication and encryption between your proxy since the client now has no opportunity to verify the certificate itself. So you HAD BETTER BE DOING revocation checks and making sure the proxy has a sane list of trusted roots, and serve clients some kinda error page if you can't trust the certificate.
Don't quit you job. Deal with the fact that with all the spy ware and things like flame going on this is what business must do to protect themselves. Do you banking/medical correspondence/etc at home.
Man-In-The-Middle Attack, let's call it what it is (Score:3, Informative)
I ran into this with a customer of one of my clients recently. The insurance company was using a setup from Websense to snoop on all HTTPS traffic. As best as I could tell, they were snooping ALL traffic (banking, healthcare included), not just "safe" sites.
Surely this breaks privacy laws in numerous instances. HIPAA? Banking laws? Shoot, there's a federal law that could make snooping in on your NetFlicks traffic (video rentals) illegal. Ironically, if SOPA/PIPA had passed, HTTPS snooping would have been legal.
As for the moral aspect of this, and all the people that say "you shouldn't do personal stuff at work," a few points to keep in mind. 1) Only the IT staff at this company new what was going on. No one outside the IT department could find any reference, or notification. 2) This was REQUIRED on all home PC's that utilized their VPN network (kinda shoots down doing your home stuff at home). 3) From what I was told by their IT staff (remember I was a 3rd party, trying to get our networks connections to work), the IT staff regularly "audited" HTTPS traffic. That means someone in-house was regularly looking at bank account information, and health care information of their fellow employees, and they weren't making this known to the general population within the company.
I tried to get some main stream press attention on this topic a while back. No one would bite.
You're not important enough to matter (Score:4, Insightful)
Now, you should still use https at home because maybe some bigger criminal enterprises could make use of unprotected CC numbers or something (assuming they haven't already pwned your box) - but as far as your employer is concerned, there is nothing to fear from an https transparent proxy.
Re:You have no right to privacy at work (Score:5, Insightful)
You have zero expectation of privacy at work.
Since about 8 million people have said this now, I think the counterpoint needs to be stated.
You are correct, it IS their network and their rules, but that doesn't mean that it's a good idea for them to be a dick about it. I've worked for several large (over 100,000 employee) companies, and several medium sized (1000-5000) companies, and in every case, it was made clear that we were explicitly permitted to use work computers for minor or occasional personal use such as banking or email, but were expected not to abuse the privilege.
IT and programming type jobs are creative in nature. Sometimes it helps to walk away from a difficult problem for a few minutes to let your mind clear. It was always expected that you get your job done, but trying to enforce that every single moment you're sitting there you must also be working is just crazy. That's not how people are. It's much better to build an environment of mutual respect. That was understood in every job I've held.
Now, if you sit around for hours a day surfing the web, yeah, that's a problem and needs to be dealt with by your management. But if you log into some account to check your 401K for 5 minutes once a day? Getting all up in your face about that is going to be counterproductive; it'll make employees unhappy, and in being unhappy, they will be less productive and more inclined to get up in the company's face.
So you're technically right, but in any sense of wisely running a company, you're not. But of course, many companies are not run wisely...
Re: (Score:3)
You don't need to decrypt HTTPS sessions to find out if someone is using the internet for non work purposes.
Also I most definitely do have an expectation of privacy for any HTTPS session. If a company doesn't expressly state this in a big warning page, or at the front of their IT policy in bold then they could be open to liability. No reasonable person expects someone to do a MITM attack on you as normal business practice which could allow some pimpled intern in IT to see your banking passwords.
Re:You have no right to privacy at work (Score:4, Insightful)
You have zero expectation of privacy at work.
The fact that people like you keep having to repeat this shows it isn't true. People do have an expectation of privacy at work, whether or not you think they should. I'm sure even you expect some level of privacy. Or do you just assume that your employer is filming you while you use the toilet?
Re:Expensive (Score:4, Informative)
use your phone as a local wifi hotspot
This would require me to subscribe to a plan with tethering, which is still luxury-priced in the United States market.
No, it just requires that you root your android device.
Re:Don't do personal shit at work (Score:4, Insightful)
No... it is entirely reasonable not to do anything personal on the company's network.
Just because the Internet made it easier to do online banking, does not mean you can do it on company time and resources. People used to take time to handle their personal affairs, and it was not even possible to do so at work. A change in technology does not make it more ethical to abuse company time and resources.
Security is also a concern as well.
I also have a proxy running at every branch office and very strict enforcement of company policies. Using company resources for personal reasons is grounds for dismissal. No Facebook, No Twitter, No Banking, No Pandora, No anything. The proxy has a whitelist, and if it is required to access something not on the whitelist, a request is made to a supervisor and it goes up the chain.
While I am very strict, and record all access to customer data, block USB ports, etc., I do allow employees to connect their phones and tablets to a separate wireless network. This allows them to still have their crack-addict fix for Facebook, and to isolate themselves with Pandora/Slacker.
Nobody deserves to have the Internet at their fingertips, provided by the company, as some sort of fundamental human right. Even if it were so, nothing says that it should not be separate and kept away from company equipment.
Security Overkill? Ask somebody to had their private medical data, or financial data, or whatever let loose in the wild and see if they really wanted our employees to run freakin wild with the new naive and idealistic BYOD utopian fantasy.
If you think about it.... why does it have to company equipment and company networks? Just about everybody has a smartphone or tablet on them now with access to their own bandwidth that they pay for. It does not have to be the private corporate network as if that was the only solution available.
"Reasonable". Really. What I find curious is the incredible sense of entitlement that some employees have about 24/7/365 Internet access and how any kind of impediment to its use is akin to genocide. Never mind the fact that they are being paid to work and not being paid to spend 10 minutes out of every hour checking Facebook and Twitter.
You wonder where the work ethic has gone in this country.
Before I get accused of being some sort of security fascist, remember that I am providing a completely separate connection for their personal devices and only ask that they restrict all personal needs to said devices.
Re:Don't do personal shit at work (Score:4, Insightful)
While I think your policy is pretty sensible (all anyone can ask for, really) the reason people work on company time is usually one of the following:
- you have to work in your spare time, unpaid, to read and review stuff for a hot project. This cuts both ways. People take work home, and home to work.
- you hate your job. Going on internet is a warning sign that you need to find another challenge either within or outside the company or you may have issues with your boss. A smart company will figure out if this is the case and try to find something else to do for either the boss or the person involved.
- you have to work hours that make it impossible to conduct business from home. You compensate by doing stuff like this during lunch.
Ofcourse you may have an occasional saboteur but IMO, most times it's something like this. And if you find people doing this, management should take a good look at who's to blame: are they driving their workers into doing this? In that case firing someone will not solve the issue, just make sure the workplace climate becomes even worse.
Re:Don't do personal shit at work (Score:5, Interesting)
Workplace climates are already going downhill faster and faster.
Please don't get me wrong, I am not supporting asshole companies sucking the life out of employees by paying them less and less, expecting more and more sacrifices, all while siphoning the money away for rich, useless, fucking wastes of space that are the upper executives in most very large companies. Boy have I known some.....
You should be able to have a balanced life and not need to conduct personal affairs at work.
As the CTO, I need to balance so many things. In this instance all I am trying to balance is security versus usability. I need to take very strong measures to prevent data leakage and be aware of it at least after the fact.
That's why I offer paths of least resistance. It's about the wisest thing I do, or at least I think I do. Personally, I don't care what you do at your desk. It's your responsibility to get your tasks done in the time allotted. All I want is for you to not destroy the company while you goof off, and sometimes goofing off for a minute or two can increase productivity and morale (my opinion). In any case, not my job to be the warden.
Normal people lack the sophistication to truly understand, and avoid, the dangers in the world we live in as far as technology is concerned. Hence, the path of least resistance. I make them use their own devices and prevent them from being able to connect to company equipment. Super glu in the USB socket is very effective, but so is disabling it in the OS, which allows them to still use it to charge stuff.
As far as spare time and unpaid work (there should never be such a thing), that is unfortunately not possible with some industries. I simply cannot allow regular employees to take work home, or have unfettered remote access. Some executives have it, because it is not possible to deny them, but it is very vulnerable. I have already had to chastise somebody for using company equipment for porn. Thankfully, I had support from higher up.
I have to be this vigilant. Failure on my part can mean tens of thousand of customers (possibly much higher) hurt because of loss of data. Worse, if it is private and sensitive medical records. I would hope that the CTO of any other company was protecting my data just as well.
Re: (Score:3, Insightful)
Spending 10 minutes of every hour on Facebook probably makes them more productive workers as a whole; the attitude that you have to be working every second from clocking in to clocking out is not only extremely selfish, but also completely stupid since it's bad for the company too.
Re: (Score:3)
Possibly makes them more productive.
I'm not opposed to taking breaks every once in awhile, but lately I have been running into people that... well... act like addicts.
I watch them. It's more like 25 minutes out of every 60 since they are literally switching to Facebook and Twitter every minute to see if something has changed.
Like rodents constantly hitting the pedal to get a treat or something.
It may be some form of cognitive dissonance that allows them to see wasting that much time communicating with thei
Re:Don't do personal shit at work (Score:5, Insightful)
LOL.
This is what I mean by unreasonable entitled douchebags. You prove my point.
What is so wrong about protecting the network from data leakage, AND GIVING YOU UNGRATEFUL BASTARDS A WHOLLY SEPARATE INTERNET CONNECTION TO CONDUCT YOUR PERSONAL AFFAIRS ON YOUR OWN DEVICES ?
It's amazing that my simple request to not do it in a web browser on the same company equipment that has access to customer data is seen as proof of my unholy alliance with corporate america and Satan.
Re: (Score:3)
If your data security is that important, then utilise physically separate networks and workstations with an air gap.
1) Every companies data is that important. Unless you are telling me that you will condone a small amount of your personal details leaking as long as it facilitates an easier work environment for those employees? You willing to put up your financial data?
2) You're not seriously suggesting two workstations for each employee to allow them personal use on one of them?
Not every employer has a guest wireless. Not every employee has the means to use it.
Not my problem. I do provide it. It is not unreasonably expensive either. DD-WRT has guest network capability which can be used on commodity
Re:Don't do personal shit at work (Score:5, Insightful)
60+ hour work weeks.
Re:Don't do personal shit at work (Score:4, Insightful)
"60+ hour work weeks." should provide ample money to use other connectivity options.
Re: (Score:3)
Re:Don't do personal shit at work (Score:5, Interesting)
Because work keeps expanding to take up personal time, it's the only way for employees to claw some of it back.
Re:Don't do personal shit at work (Score:5, Insightful)
it is COMPLETELY reasonable to not do anything personal on the internet while you're at work
It is also completely reasonable to not do anything work-related on your own time. Or during your lunch break. But in order to be explicit maybe it's a good idea to also specify the exact amount and duration of toilet breaks. Wouldn't want to anger our corporate overlords, now would we?
Or, alternatively, all parties concerned behave like adults. The boss only calls after hours if it is really important and trusts the employee not to goof off all the time, and in return the employee enjoys a modicum of trust and freedom without going too far.
Re:Don't do personal shit at work (Score:5, Insightful)
We have someone at work that takes an 30 minutes (no exaggeration) to wash her hands both before and after using the toilet. This person will then call the tech department because she is not competent enough at her job of 20+ years to handle FTP uploads.
I'm not sure how that's relevant to this article, but just because someone can't use FTP doesn't make them useless. Our payroll supervisor calls IT for help to do her rare FTP transfers, yet she's very good at her job. When we were looking at a new payroll system, during the demo (and her first exposure to the system), she pointed out that their tax calculations were wrong. The company argued that it was not, but 90 minutes later after a conference call with a payroll specialist and engineer at the company, they found out that they had indeed set up their test system incorrectly, but no one ever noticed.
FTP isn't a critical job skill for many positions, and even though it's trivial for many Slashdot readers, it's not always trivial to the rest of the world. (i.e. "Why can't I use FTPS, the website says I need sFTP, isn't that the same?" "How do I use Passive mode?" "Binary mode - whats that?")
Re:Don't do personal shit at work (Score:5, Insightful)
seriously, the sense of entitlement is a little annoying
I know right. I drives me crazy that the company thinks its entitled to encroach on my personal time. My boss call me at home on my day off... who the fuck does he think he is? Or expect me to reply to an email or check voice messages?
And that policy of showing up 10 minutes early? If they want the day to start 10 minutes early then they can pay me for that 10 minutes, and at over time rates to boot.
Seriously, the sense of entitlement some companies have is a little annoying.
If I'm expected to deal with their shit on my time, they can accomodate me dealing with some of my shit on their time.
Mutual respect is where its at.
Re: (Score:3)
Mutual respect is where its at.
At least where Im from, employment is an at-will contract.
That means that if at any time, either party finds the contract (your employment) to be unbearable, onerous, or undesirable, they can terminate it. That is, your boss can terminate you if he decides that he can get better value out of someone who WILL work longer hours, and you are free to tell him to take the job and shove it if you think you can get better treatment elsewhere.
Id agree with the respect thing, but again: start looking for another j
Re:Don't do personal shit at work (Score:5, Interesting)
> Many employers have figured out how to intercept HTTPS connections and decode their content.
>If you don't want your employer knowing all your secret information, such as account numbers, login ids, passwords, etc., you should never type any of these things on a work machine.
Or employers should be following the Electronic Data Rights and Privacy Acts, which prohibit them from viewing or using such information?
Re:Don't do personal shit at work (Score:4, Insightful)
Hm, I guess times have changed. 15 years ago employing people was regarded as a two-way street, you give us your time and skills to further the company business, and in exchange we give you a salary plus benefits. Benefits included fringy stuff such as "hey we're paying for unlimited long-distance already so feel free to call your mom after hours," "we got color scanners and photocopiers so feel free to scan in your kid's drawing and send it to relatives..."
But even in today's robotic world, you'd think companies would encourage employees to bank, shop, and carry personal communications online from their work computers. The alternative is that employees would take longer breaks to find a way to do the same thing using external devices.
Re:Don't do personal shit at work (Score:5, Insightful)
why are you banking, shopping, or correspondence at work?
The same reason you would expect a reasonable employer to let you see a dentist or take care of other personal things in a timely fashion. Basic respect.
I can understand how it would be unreasonable for people clocking out from the factory at 5:01 to expect anything beyond scheduled breaks. But for those of us with important, creative jobs, putting in over 60 hours every week, it's pretty heinous to expect us to save our personal lives entirely until we get home at 8:30. Considering that we go the extra mile in IT so often, it would be a little demeaning to treat us like we can't be responsible and reasonable with our Internet use. (Although we've all worked those shops.)
Re: (Score:3)
That's your problem right there. Instead of spending an extra 2 hours a day at work, and also expecting to do 2 hours of personal stuff at work, people with "important" jobs should just go home at 5pm sharp and do their shopping and banking at home.
It's more like an hour of personal stuff and three extra hours of work (including work from home), but you're quite right on the point of reclaiming our personal lives. I'm not sure why we put up with it.
Re:Don't do personal shit at work (Score:4, Funny)
I know what you mean. Personally, I'm disgusted that my decadent coworkers don't even understand how fortunate they are that our glorious <strike>Lord</strike>employer even has running water at work, let alone allows them such outrageous luxuries as furniture and air conditioning.
The sense of entitlement in the modern worker is out of control. I've heard some of them believe they should be provided not only toilets, but toilet paper, without any stipend being taken from their wage at all !
Re: (Score:3)
Re:Don't do personal shit at work (Score:4, Insightful)
Re:Don't do personal shit at work (Score:4, Interesting)
Two words for the non-smoker: Cigarette Break
Two words for anyone: Think Break. "I need a few minutes to study these drawings and specs uninterrupted. I'll be back in thirty." Then head for Starbucks, taking your personal laptop (or whatever). With all the noise and kafuffle and goofing off and bosses or cow-orkers sticking their noses in all the time in a cubicle farm, this is a necessary part of getting anything done.
Don't you dare tell me "that's not working." Better yet, write it on a yellow sticky, then just leave. And stretch it out to forty-five, at least.
Of course, this assumes you can turn in results, and not just goof off.
They expect you to be "part of the team" (Score:4)
Re: (Score:3)
Its their network, they can make any rule they want.
Not necessarily. Doing this sort of thing can run afoul of laws in many jurisdictions, as employees often have some expectation of privacy. What they could do just fine is just block HTTPS to non-whitelisted sites from their network; that would be far simpler to implement, and wouldn't run the risk of hitting privacy laws (or employment protection laws, or any number of things that might be communicated privately).
Ultimately though, the approach in TFA smacks of a company that doesn't understand that they n
Re:Trusting them as root CA doesnt mean that... (Score:5, Informative)
I'd suggest you look up Man in the Middle attacks (because thats what this is)...
Your browser will /think/ it is connecting to www.securesite.com but its actually connecting to www.companyproxy.com which has issued a (fake / self generated on the fly) certificate for securesite.com and the proxy server then connects itself to the site you were originally attempting to access.
So you think its
You ==> Secure Site
but its actually
You (encrypted to) ==> Proxy ==> Secure Site.
No need for the other endpoints private key at all.
MITM attacks... Google it!
Re: (Score:3)
Re: (Score:3)
I had a shit head boss once that actually just laid into me one morning while surrounded by 10 co-workers about being late 5 minutes to the office. Never mind the fact that I was salary and had been up supporting our china facility until 3AM.
I sat there completely stunned for a second. Walked over to him and handed him my laptop and badge and walked out the door.
Now if I was a clock puncher that is another story yes I should not be late.