0

Google hangouts uses e2e encryption via https using tls 1.2. Now assuming one is using their own phone but they are using the corporate wifi can their employeer read the messages.

I'm sure with enough resources they can brute force decrypt the messages but I was wondering how the keys are exhanged? Ie how easy is it to read the messages?

I switched from group text messages to google hangouts to coordinate team sports and sometimes the blue collar workers on our team will share or say things that might be frowned upon at other organizations.

So if your running google hangouts on your own phone but connecting to an organizations wifi do they have a leg up to decrypted the messages?

What I have read is if they administer the machine they obviously have a leg up in cracking it and it seems very easy based on the posts here. But they don't administer my phone so how difficult is it for them to read the content?

HashHazard
  • 5,105
  • 1
  • 17
  • 29
ngnewb
  • 3
  • 3
  • The tags don't work well on my phone so if someone can edit this to add tags that make sense that would be much appreciated – ngnewb Aug 16 '16 at 22:01
  • If they haven't installed anything on your phone (i.e. MDM solution, root CA, etc) and you are not getting any cert errors, you should be fine. – HashHazard Aug 16 '16 at 22:48
  • Would I get cert errors in a native app? The only thing I installed on my phone is MobilePass which is to generate a token for 2 factor auth for VPN access. – ngnewb Aug 17 '16 at 16:15

1 Answers1

2

If your employer asked you to install a Certificate Authority (CA) certificate on your phone, then they can read all your encrypted data to any HTTPS website. This can be done by the network admin acting as the man-in-the-middle. When you connect to an HTTPS website, the browser will see if the (fake) certificate presented is trusted or not, by checking the trust store of certificate signers. The certificate that you were made to install is the one used for signing the certificate of the website being MITMed. Hence, the MITM terminates the SSL connection between you and itself, and can then establish a new connection to the end server, thereby being able to read data.

sandyp
  • 1,146
  • 1
  • 9
  • 17
  • So all they see is put get and post requests to some Google Api? So the same is true for facebook iMessages or WhatsAPP or anything else with https? – ngnewb Aug 16 '16 at 23:22
  • They see the GET/POST requests as well as the HTTP body which has all the chats. And yes, any HTTPS website can be MITMed, as long as your network admin CA has signed the certificate for that FQDN (Fully qualified domain name). – sandyp Aug 16 '16 at 23:26
  • @sandyp I don't know if that's correct. HTTPS GET (and POST) requests are encrypted. Network monitoring would only see the domain/IP being requested, not the content (or query string params). And how would the network admin sign a cert for Google Hangouts or Facebook? *more info: http://security.stackexchange.com/questions/80991/can-someone-using-wireshark-obtain-the-full-url-if-my-program-uses-https* – HashHazard Aug 17 '16 at 00:18
  • @Hollowproc Network admin can sign any domain in the world. The question is does the client (browser) trust it? To make the browser trust, the admin asks the user to install the certificate. – sandyp Aug 17 '16 at 01:23
  • Reread OP's question: **But they don't administer my phone so how difficult is it for them to read the content?** He indicated that the org had no intervention on his phone, which makes your comment misleading. – HashHazard Aug 17 '16 at 01:45
  • @Hollowproc Administering phone is not the same as requiring this one-time certificate install – sandyp Aug 17 '16 at 03:47
  • And what gives you the impression he had to install a cert? – HashHazard Aug 17 '16 at 12:11
  • When I log onto the wifi network I enter a username and password. I use the Google hangouts native iOS app. Entering a username and password in a web browser wouldn't just install a cert for me correct? I would have to knowingly install that CA cert on my phone or could visiting the web page to get onto the wireless network install it ? – ngnewb Aug 17 '16 at 16:13
  • @ngnewb correct, you would need to accept the cert install. Just entering wireless creds isn't enough for the NA to view TLS traffic – HashHazard Aug 17 '16 at 16:21