20

In my company I do use my computer for private things like online banking and personal email during lunch time.

I've always thought that when Firefox shows me the green lock symbol that a valid HTTPS connection has been established and no one can eavesdrop. I've now heard that HTTPS inspection can compromise this.

Actually I have two questions:

  1. Is my understanding correct, that for HTTPS inspection my company would deploy Firefox with a "faked" security certificate so it can pretend to be the site that I actually wanted to reach and conduct a man-in-the-middle attack?
  2. How can I detect whether my connection is snooped on?

My company uses the Forefront TMG as I can tell by a tray icon in Windows 10.

Thanks a lot in advance!

Perry Quint
  • 201
  • 1
  • 2
  • 3
  • Great question. I can't answer if it's possible, but I'd strongly suggest you to use an external server and set up ssh tunnel to it if you're allowed to. – Rápli András Apr 03 '16 at 09:27

4 Answers4

15

If your company owns and manages your computer, they have following options to inspect your HTTPS connections:

  1. Adding their certification authority to operating system/browser trusted certificate store. This will allow them to generate valid certificates on the proxy for any website you are connecting to. Furthermore, they are even able to turn off certificate preload lists in the browser, thus allowing substituting “known good” certificate with a spoofed one.
  2. They may install software on your PC to monitor all filesystem and network activity, including HTTPS connections. There are a lot of data loss prevention (DLP) software vendors who offer such functionality. It may operate in silent mode, completely invisible to user. This software is surprisingly common within the enterprises.

Connection snooping on proxy server is relatively easy to detect. The website certificate presented to you by proxy will differ from the one you get when opening site from your home or even using mobile device. If public keys and certificate fingerprints of aforementioned certificates don’t match, then there is almost certainly connection snooping happening (there are sometimes valid reasons for this mismatch, so it is a good idea to check the whole certificate chain the same way in this case).

If the company uses endpoint software to watch the employee activities, then detecting this becomes harder, especially if you don’t have administrator privileges. If it is not running in silent mode, you can look up list of running processes, system tray or list of installed programs to see if there are some odd/unknown programs listed (and then search their names online). In case of silent mode of operation, detecting it will probably require kernel debugging/rootkit detection skills (or asking a sysadmin).

Artem Bychkov
  • 491
  • 2
  • 7
  • You can always check the whole certificate chain, mainly if the root certificate is an external certificate authority or an arbitrary enterprise root certificate. Most of companies - even when 'snooping' legally (in most of the countries it is illegal), publish their monitoring policies. – gusto2 Apr 05 '16 at 21:00
2

There's a couple of interesting things to look at. Firstly, just look at the cert - it will not come form a well-known Certificate authority. This is visible (firefox, Windows) by clicking the arrow on the right once you click the green padlock. Eg. Facebook says "Digicert".

Once you have seen one or two certs generated by TMG you will identify them with ease.

The second thing to note is that some sites are hard to MiTM due to "certificate pinning". This depends on the browser having preloaded a certificate, and it won't accept a "fake". Not really sensible for every site on the internet - but google, twitter and a few others do it. Chrome doesn't pin for local CA, to allow "corporate" MITM, but prevent compromised CAs. Firefox has a setting to determine what to allow.

To be honest - these browser defences are not very useful against corporate MiTM, because if your browser refuses to take a forged cert, you will get blocked from the site anyway.

Most "good" web filters (and some bad ones) allow the administrator to exclude some sites from MiTM. For example, Smoothwall comes with defaults that exclude online banking for privacy reasons. Other sites may be excluded because they don't play nice with MiTM.

My advice is talk to your admin. If they don't want to turn of MiTM for banking, I think that's pretty unreasonable (in my view as an ex-employee of web filter company). Either they want to let you do your banking, or they don't. Its not something where malware is likely to leak in, or users are likely to abuse. Facebook and personal email on the other hand are greyer areas.

Last thing to mention: in order to get a "block page" on an HTTPS site (even one blocked by domain) it is necessary to MiTM, so you may see some MiTM that you wonder why that's happened if they were going to block the page anyway - it's because the alternative would be a less informative browser error.

Tom Newton
  • 276
  • 1
  • 5
1

To answer your questions,

  1. Yes - that is exactly how the company manages to get that "green lock".

    This may differ for other browsers, though. Some, like Firefox, use their own trust store and some, like chrome, use the one of the operating system. So the exact installation location of the certificate might be what you err on.

    Generally, yes, that's how it works.

  2. Use a website like ssl labs that gives you the certificate they receive for the host.

    Then check to see if that is the actual same certificate. If it is, there is no MITM going on.

    Easy tip: most of the time, the certificate does not only have another fingerprint but different other properties, so it might be a easy spot. But it could be, they only differ in fingerprints.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
0

These are all good answers so I won't go on and say how "yes, it's possible and being done within many organizations around the globe". What I did want to say is that HTTPS inspection is (generally) done NOT to spy on you but to ensure that traffic traversing their network is legitimate and safe. They want to ensure that it's you doing your banking on your lunch hour and not malware ex-filtrating company secrets.

Also, you should be aware that HTTPS inspection is CPU intensive and the general practice is to decrypt just a little of the beginning traffic. Once the traffic has been deemed legitimate no further decryption takes place. Now... please also remember that I said "general practice"... because it is absolutely possible for them to decrypt your entire session. However, it's also possible for them to install keyloggers / screen capture software on your computer also and that option would likely be easier and much less expensive.

JohnyD
  • 169
  • 6