1

At my company, I get a warning flag that the traffic to the website may not be secure (enough). For instance: outlook.com and gmail.com. When I open the certificate I see this "issued for" and "issued by".

enter image description here

I blackened out the name of my company. Here is the name of "My Company ABC" mentioned, not for instance Gmail or Outlook. This particular message is taken from the web browser warning (either Outlook or Chrome).

For instance, for Gmail, it says:

"SHA-1 Certificate. The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1. The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM)".

It looks to me that the communication from my client to the router is secure and strong, but not stronger than the company has the power to decrypt when needed? While they promise to send it with full encryption from their router that route out to Inter-AS and the endpoint (gmail, outlook..).


Why is it like this and what is the impact? Is this some kind of security trend going around?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Independent
  • 425
  • 4
  • 12

1 Answers1

5

Some companies want to be able to inspect all traffic exiting their network (data loss prevention, etc.). To do this, they require that all encrypted traffic be decrypted before it exits.

To make this possible, the company then issues its own certificates for external domains. Normally, those certificates are issued by Certificate Authorities (CA) that act as neutral 3rd parties for this sort of thing. But in an SSL Interception scenario, the company itself issues the certificates. Your traffic flows from your client, to the company border, gets decrypted, inspected, re-encrypted, then passed on to the destination.

The potential issue here is that the company might not be as up-to-date or as secure in the way they issue certificates as a CA. But that might not be a huge issue because the only people you are being protected from are the other employees at the company.

So, to answer your question, the local, company-issued certificate is not as cryptographically strong as it could be, and your browser is issuing that warning.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • You nailed the question I had. Thanks for clarification. So I what I can read from you is 1) there is no particular reason that company use a weaker encryption. They can choose to decrypt an re-encrypt anyway because they already choose to have a intercepting point before data leave (and enter) the company? 2) the new warning may just be because of a browser upgrade that are configured differently. But one question: how "big" is this take for a company to deal with each company on the other side? Costly? complicated? common? – Independent Jan 24 '17 at 12:34
  • 1) no particular point - might be a technical issue, 2) browser updates can create these types of warnings (pretty common), 3) It doesn't require the company to deal with Gmail at all - no costs, no need to even inform Gmail about this action. You are using a 'proxy' - you are not actually communicating with Gmail, but your company's routers instead. It's your routers that are connecting to Gmail with the valid certificate. – schroeder Jan 24 '17 at 13:53
  • By the way, if you look at Gmail's certificates when you are away from your company, you will see that the issuer isn't Gmail. The CA issues the certificate. – schroeder Jan 24 '17 at 13:55
  • Thanks for clarification, so this kind of certificate between client and router is just a matter of that i accept to use an client that in turn is configured to accept this kind of certificates for a, by company itself, chosen collection of sites. In *reality* the acceptance criteria means possibly (not obviously) put the ownership of the data provided (through those sites) into the mentioned CA "My Company ABC".. Of course this is a kind of fair trade off, instead of restrict/block sites. – Independent Jan 24 '17 at 14:49
  • 1
    That's the idea – schroeder Jan 24 '17 at 15:02