9

I was reading the other day on "Does https prevent man in the middle attacks by proxy server?". Let me quote few lines:

Blue Coat, the biggest name in the SSL interception business, is far from the only one offering SSL interception and breaking in a box. Until recently, for example, Microsoft would sell you a program, Forefront Threat Management Gateway 2010, which could do the job for you as well. With an SSL interception proxy program or device in place, here's what really happens

enter image description here

If your company has set up the proxy correctly you won't know anything is off because they'll have arranged to have the proxy's internal SSL certificate registered on your machine as a valid certificate. If not, you'll receive a pop-up error message, which, if you click on to continue, will accept the "fake" digital certificate. In either case, you get a secure connection to the proxy, it gets a secure connection to the outside site -- and everything sent over the proxy can be read in plain text. Whoops.

So if I understood correctly all my private information like banking credentials, Facebook, mail etc. can be easily intercepted without me even knowing about it.

If that is true how may I know whether my company or my ISP has a proxy in place and is eavesdropping on all my sensitive data?

Community
  • 1
cyzczy
  • 1,518
  • 5
  • 21
  • 34
  • Because your company or ISP won't have had the chance to install their certificate on your personal computer. – Celeritas Nov 21 '16 at 10:36

1 Answers1

22

How to know if your company does TLS intercept

As the post you linked to explains, the proxy will decrypt all the traffic, and then encrypt it again but signed with another certificate. Therefore the certificate you receive will be different from the one the website send. So one way to detect this is to compare the certificates you get when you visit a website from your company network with the one you get when you visit it from outside of that network (e.g. from home).

All browsers have functionality to view the thumbprint of a certificate. In Chrome, click the green lock in the URL bar, then click "Info", and finally "View certificate".

Some caveats, though:

  • Some websites may serve different certificates to different users for various reasons, so that they don't match for one site might not be enough to conclude there is a TLS proxy.
  • The proxy might not intercept traffic for all domains, so even if all the certificates you try match it is impossible to know that your traffic will never be intercepted.

So how do you get around those caveats? You would have to go through the trust store in your OS and your browser (if it uses it's own) to see if any certificates have been added there. For instructions on how to do this, see this question.

Finally, it should be noted that TSL interception is a perfectly legitimate thing for an employer to do. And since you are probably using a computer provided to you by your employer at work, there are many other ways they could monitor your browsing habits and anything else you do on your computer without relying on a proxy server. So if you want privacy, don't use your work computer or network.

But what about the ISP?

While your employer might have legitimate reasons to do this, your ISP most certainly does not. Fortunately, they can not easily do this. Why? The answer is in your quote:

If your company has set up the proxy correctly you won't know anything is off because they'll have arranged to have the proxy's internal SSL certificate registered on your machine as a valid certificate. If not, you'll receive a pop-up error message, which, if you click on to continue, will accept the "fake" digital certificate.

Since your ISP does not control your computer, there is no way for them to install a root certificate (other than making you do it). So you would get a warning that the certificate is incorrect every time you visit a site over HTTPS. Not very stealthy in other words.

If you are still concerned someone might have sneaked a root certificate into your trust store, you could used the method above to check. But you would need to compare the certificates you get from the ones from a computer with another ISP, preferably even in another country. Or you could just compare them to the preloaded public key pins for sites that use HPKP.

Community
  • 1
Anders
  • 64,406
  • 24
  • 178
  • 215
  • 5
    Just bring Firefox on a pendrive from trusted location. FF has it's own cert store instead of using system one. – Agent_L Jul 11 '16 at 12:56
  • If you inspect the certificate chain you will see the root certificate is probably coming straight from your company... – Jeroen Landheer Jul 11 '16 at 13:09
  • @Agent_L you mean the portable version ? – cyzczy Jul 11 '16 at 13:22
  • 1
    @adam86 Doesn't matter, you can bring portable or offline installer and install it on your computer just as well. (portable is better as to not mess up your current installation if you have one) The only important thing is to NOT have FF downloaded via potentially compromised connection because they might as well substitute real FF with a hacked one : ) (not very realistic, because it would be a violation of Mozilla's trademark and a lawsuit waiting to happen) – Agent_L Jul 11 '16 at 13:25
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/42349/discussion-on-answer-by-anders-how-do-i-know-if-my-company-or-my-isp-is-using-a). – schroeder Jul 11 '16 at 21:57