41

I have viewed Gmail's certificate chain at my workplace, and I realised it's different. It looks like this:

Root CA
   Operative CA1
      ___________.net
         mail.google.com

When I get the certificate chain at home, it looks like this:

GeoTrust Global CA
   Google Internet Authority G2
      *.google.com

Obviously these certificates are issued by my company. I recently read some other thread on security.stackexchange, and they said the company is eavesdropping (using an MITM proxy) the HTTPS communications to protect the internal network and the client machine against viruses. That means they can read my all of the encrypted package that has been sent via HTTPS, including this message too.

If this is true, can I work around this? Or please correct me if I'm wrong.

Anders
  • 64,406
  • 24
  • 178
  • 215
ampika
  • 655
  • 7
  • 13
  • 3
    Not sure I understand how this is not throwing a security error in your browser... is "Root CA" and/or "Operativ CA1" trusted because certificates have been installed on your machine as trusted, or did your company somehow get a different certificate from google for mail? – Michael Feb 21 '17 at 17:50
  • 3
    Probably these certificates have been installed on the machines as trusted, yes. My account has limited access. I need permission for everything expect some basic function, so I can not check this out. – ampika Feb 21 '17 at 19:00
  • Dupe http://security.stackexchange.com/questions/106910/corporate-computers-have-own-corporations-cert-as-trusted-ca-should-i-consider related http://security.stackexchange.com/questions/101721/is-it-possible-for-corporation-to-intercept-and-decrypt-ssl-tls-traffic and http://security.stackexchange.com/questions/142803/can-my-employer-see-what-i-do-on-the-internet-when-i-am-connected-to-the-company – dave_thompson_085 Feb 22 '17 at 08:08
  • 2
    @dave_thompson_085: I don't think this is strictly a duplicate; that questions asks about what has happened, while this asks about workarounds. – sleske Feb 22 '17 at 09:12
  • @Michael Depends whether interceptor's certificates have been installed on the machine as a part of a company-wide deployment of customized OS installation. In any case I consider such interception a bad practice, unless the company prohibits *all* strictly work related use of the company's workstations (so the OP is in the breach of the agreement by using Gmail, not the company). If the company allows gmail (personal) use they are now on the hook for the OP's account safety as well (since they removed built-in safety and installed their own). – xmp125a Feb 22 '17 at 10:11
  • *"If this is true, can I work around this?"* - If you don't want your employer to see your personal information and communications, don't put it into equipment they own - that includes both computers and networks. – RedGrittyBrick Feb 22 '17 at 10:36
  • I'm not sure this enough to be a separate question but how did the browser not flag this due to certificate pinning? What browser (and version) do you use at work? – ydaetskcoR Feb 22 '17 at 10:45
  • 2
    @ydaetskcoR Browser pinning explicitly accepts local CAs, specifically to allow for use cases like corporate TLS intercept, e.g. http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters- – Mark E. Haase Feb 22 '17 at 15:41
  • 1
    @mehaase: Arguably that's a serious bug: unwanted installation of local CA (by malware or a malicious user) will go undetected. It should be doing the opposite; always showing a red broken lock (but allowing the connection) when a local CA that's not restricted to the local DNS domain is used. – R.. GitHub STOP HELPING ICE Feb 22 '17 at 17:58
  • Related: [Is it common practice for companies to MITM HTTPS traffic?](https://security.stackexchange.com/q/107542/141087) – Stevoisiak May 03 '18 at 16:50

3 Answers3

50

Yes, a company doing SSL interception could in theory read all your traffic if you use the company network. Depending on where you live and what kind of contract you have the ability for the company to do this might also be somehow part of the contract or working rules which might also include that you are only allowed to use the company network for work related stuff.

can I workaround this?

Yes, you might use a different machine and network like your mobile phone for your private, not work related, traffic. Depending on the configuration of the firewall it might also be possible to use some VPN tunnel through the firewall. But it is usually explicitly forbidden to do this so you risk to get fired for this.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 39
    Since they do SSL interception, in theory they could also do something more invasive such as keyloggers or remote screen capture. "Use *your* machine, not *their* machine" seems the best advice, to me. – Federico Poloni Feb 21 '17 at 11:02
  • 7
    Of course, if your employer provides your mobile phone, that is *their* machine too. – Martin Bonner supports Monica Feb 21 '17 at 12:54
  • There are certain firewalls that do layer-7 content scanning, and at least one model I'm aware of has the option to use SSL MitM by issuing certificates like this. I had a pretty loud row with management explaining all the reasons this is a terrible idea, and we don't use the module, but it exists. – Shadur Feb 21 '17 at 13:31
  • 3
    @Shadur: pretty much every enterprise firewall and also several low budgets and also the open source squid http proxy can do this. Several desktop antivirus do this too. And some malware or adware too. It's nothing special today. – Steffen Ullrich Feb 21 '17 at 13:56
  • 3
    Yeah, it's not particularly difficult. It's just a damned stupid thing to do because you're breaking the chain of trust. – Shadur Feb 21 '17 at 13:57
  • 1
    @Shadur: there are actual relevant use cases for such feature. Given that an estimated 30% of web traffic is HTTPS today it makes sense to inspect SSL inspections the same way as it makes sense to inspect plain traffic. Properly done the trust chain is not broken but instead verified and replaced by a different trust chain. [But not all do it properly](https://zakird.com/papers/https_interception.pdf). – Steffen Ullrich Feb 21 '17 at 15:42
  • 6
    @steffenullrich And it's easy to do badly, and when done badly the potential security risks far outweigh the benefits. – Shadur Feb 21 '17 at 15:43
  • It's likely more mundane of an answer - it's his ISP acting like a proxy for google. – SnakeDoc Feb 21 '17 at 17:29
  • @FedericoPoloni There are easier ways to implement a keylogger than through SSL interception. – kasperd Feb 21 '17 at 21:37
  • 1
    What @FedericoPoloni said. Moreover the only reason they're able to do SSL MITM is that they installed a trojan root CA on the client machine OP is using. The client machine is already "compromised". – R.. GitHub STOP HELPING ICE Feb 21 '17 at 23:23
  • 1
    Plugging your own machine into the corporate network, when they have a policy of not allowing encrypted traffic, seems unlikely to be permitted. If you wish to do personal things, use your own kit and your own network that _you_ pay for. – Lightness Races in Orbit Feb 22 '17 at 10:50
9

In addition to scanning for malware, corporate IT also uses TLS intercept for data loss prevention (DLP), eg. making sure you're not sending proprietary documents through your personal e-mail.

In most medium to large companies, you must sign an "Acceptable Use Policy" as a condition of employment, and that policy will explicitly state that they are allowed to monitor everything you do on a company-issued computer and/or the company's network. It may also include restrictions on what type of personal activities you're allowed to do on the company's computer/network. And if it does, then the policy probably forbids you from workarounds such as a VPN.

Assuming you work for a big company that has this type of policy in place and also the technology to monitor and enforce compliance, my recommendation is to use your own personal device for personal matters (i.e. smartphone) and do not connect your device to the company's network. (Some companies have a separate, "open" network for employee-owned devices.)

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24
  • 2
    If such an interception is not documented in some formal policy, it is thoroughly bad form to do it surreptitously, and a reason to reconsider if you want to work for them. – rackandboneman Feb 22 '17 at 15:23
  • 1
    @rackandboneman I agree. It's completely unethical to do it without informing employees. When the policy is documented, it's often not explained in a way that the average employee would understand, and so I think an incomprehensible AUP is equally unethical. – Mark E. Haase Feb 22 '17 at 15:34
  • 1
    Absolutely agree. This is a browser UX problem too. The browser should always be showing connections accepted due to a locally installed root CA as "broken lock"/"insecure" and reminding the user that their activity **is being intercepted and monitored**. Not only would this protect the privacy of average employees who don't understand the AUPs; it would also actively discourage inappropriate use of workplace computers/networks rather than relying on punishing employees *after* they do something wrong. – R.. GitHub STOP HELPING ICE Feb 22 '17 at 18:00
  • @R That's a really good idea! You should submit your idea to the Chrome bug tracker; I think the Chrome team is likely to be the most responsive to your security UX proposal. And maybe contact @__apf__ on Twitter: she works directly on the TLS UX in Chrome. – Mark E. Haase Feb 23 '17 at 15:47
7

Being able to "read" all your encrypted communication doesn't necessarily mean someone is literally sitting at a computer and looking at your data. The "man in the middle" is generally a firewall or proxy appliance, where the IT/Security administrators create rules to block or flag certain types of content. The appliance inspects the packets in plain-text, but it's generally not exposed to a live human.

That said, the general rule applies that you should only do work-related things on your work devices. Even if your traffic isn't being decrypted, the name of the site you are visiting - though not the exact URI - is still visible (via SNI). In other words, even over HTTPS, whether you're just visiting Facebook too much or browsing pr0n, the list of sites you are visiting is visible to corporate eyes, with or without something intercepting the cert. Be smart and just keep personal things on personal devices.

sleske
  • 1,622
  • 12
  • 22
Chris Pratt
  • 266
  • 1
  • 3
  • 6
    The *hostname* that you're connecting to is transmitted in plaintext ([SNI](https://en.wikipedia.org/wiki/Server_Name_Indication)), **not** the full URI. Anyone snooping knows that you've connected to https://​facebook.com/, but not what you're doing there. This can be an important distinction. – josh3736 Feb 21 '17 at 18:23
  • @josh3736: Exactly. I submitted an edit to correct this. – sleske Feb 22 '17 at 09:16