5

At work, my employer uses a self-signed root certificate to MITM all of our SSL/TLS traffic. Many of our internal certificates used by various micro-services and internal websites are also signed by this certificate.

I have no real issue with this practice as it's their network and equipment.

Recently, there has been a decision made to switch from Citrix to VPN for remote access. As part of the VPN configuration, my employer installs the self-signed root certificate into the trusted certificate store.

I am concerned that this at least potentially gives certain personnel within the firm the ability to decrypt encrypted traffic from my home computer. The certificate is a PKS#7 certificate signed by and issued to the same entity.

There has been no transparency into this process and it feels very shady to me. I asked about any potential security issues this could effect but was told that since the certificate is issued by a "trusted source" my concerns are unfounded. I am not a security guy but claiming this is issued by a "trusted source" seems like a stretch.

My question to you is, is this normal or acceptable practice and is there anything that I should be concerned about?

I don't like the idea of someone even having the potential to snoop my family's internet traffic without disclosure nor policy.

Am I being unreasonable?

Thank you in advance.

0xDEAD_BEEF
  • 53
  • 1
  • 5
  • Are you really sure that this is a) a CA certificate usable to sign other certificates and b) installed in the system wide trust store and not in a trust store specific for the VPN appliation? Could you point to documentation for this? – Steffen Ullrich Feb 23 '17 at 05:35
  • The cert is a pkcs7, I was under the impression that you would need the private key for a. I am not sure about b, that's a great question I will find out. – 0xDEAD_BEEF Feb 23 '17 at 05:48
  • 1
    pkcs7 is just a container and the format itself does not say anything if this is a CA certificate or not. And yes, you would need a private key to issue new certificate with a CA but you don't need it to just verify the trust chain. But are you even sure that this is a CA certificate and not a client certificate which is used to authenticate your system against the VPN server? Again, please point to documentation to what they really did (should be a documented way of setting up a VPN client with Citrix) instead of making potentially false assumptions which will then lead to false answers too. – Steffen Ullrich Feb 23 '17 at 05:57
  • It's the same CA that we have installed on our workplace desktops. There is no citrix - just a vpn. The instructions say install vpn_installation package.exe and then install root_certificate_installer.exe – 0xDEAD_BEEF Feb 23 '17 at 06:37

3 Answers3

8

This is not a strictly a legal or technical question, but rather an opinion question - "is it acceptable?" Is it acceptable to you?

You bring up a perfectly reasonable technical point though - in that a root cert in your system store allows the controller of that cert to potentially impersonate and intercept any of your SSL/TLS traffic via MitM techniques.

From a practical standpoint, I'd say it should fall under your company's BYoD policies. You could request a corp-owned laptop for home use, and only use it for VPN access. Or, you could not install the VPN client on your hom machine over your concerns. Your employer can't require you to use your own, personal machine, but their policies probably do cover things like if you are going to use a personal machine on work resources, you must do X, Y, or Z to secure them. And installing a root cert for VPN access would probably fall under those conditions.

Ultimately, the decision is up to you. If you feel the potential risk is greater than you are comfortable with, I'd either: request a corp machine for VPN use only at home, acquire an other home machine, isolate it from the rest of your network and install the VPN on that, or go without VPN access at home. Or perhaps you could spin up a "work-only" VM on one of your home machines with free VirtualBox or VMWare player, and install the VPN in to that?

I agree the "no transparency" and "feels very shady" bits are worrisome, but in most cases, I'd attribute that to apathy rather than malicious intent. Most folks wouldn't even know what a root cert is, or why installing them on your company's say-so might not be a great idea. The company probably isn't hiding some nefarious scheme, but the IT folks just want to solve the problem of "get folks access from home" and here is how they did it.

Conclusion: are you being unreasonable? No. But you are making more work for yourself, and that's a reasonable thing if you have concerns. I doubt you have any particular leg to stand on to push back, aside from simply not using/installing the VPN

JesseM
  • 1,882
  • 9
  • 9
1

Yes, it is risky to install root CA certificates that you do not trust to the keystore on your machine.

It would give them the ability to easily MITM any traffic that passes through the VPN tunnel, even to the internet if the VPN routing is so configured. They likely maintain much less stringent controls over their in house CA certificate keys than a real CA would.

At the same time, any program they install on your home computer presents an equal or potentially greater privacy risk than the in house certificate. The VPN client comes to mind, but the switch to a VPN implies they want you to run their software at home. This is different than using a Citrix product that you download from Citrix.

You kind of either trust them, or you don't trust them. If you don't trust them, consider using a VM or second computer on a separately routed subnet. Another option might be to use a service like Amazon WorkSpaces that provides a cloud hosted desktop.

trognanders
  • 2,925
  • 1
  • 11
  • 12
-2

I would say two things.

First over, you should never be worried that the root certificate can in any way be used for malicious purposes. Since the private key, is usually put inside a appliance where only your IT Department or administrator has access to, you can stay safe. The IT Department or administrator also propably has a specific process ("trusted source") setting up these root CA's too, I don't see any problems.

Then, if they are able to snoop on the traffic or not while you´re not working, depends on two things, where they will be able to snoop on the traffic if one of those two is valid. The first one, is if the VPN is forced, eg you cannot use your computer if the VPN is not on. The second case where they can snoop on the traffic, is if some proxy the corporate owns, is set as system proxy in your computer. Note, that with "snoop" I don't mean they will go into with wireshark and look at your credit card numbers, I just mean the security scanner will block eventual viruses and prohibited pages, and log which pages you visit.

If its acceptable or not, generally said, I would make 2 conclusions:

If the "snooping" or "scanning" is only active while you really are working from home, and not when the VPN is inactive, I would say its always acceptable. Then you can always "go undercover" anytime you want. Its not like they have the possibility of snooping just because their SSL root cert is installed on your computer, they must be able to come into a position so they are able to "MITM" the traffic too. Think like a safe with 2 locks. One key is the root certificate. Another key is if they have control of your traffic flow. They must posess both keys to open the safe, just one key isn't enough.

If the "snooping" or "scanning" is always on, and you cannot turn it off (eg forced-VPN, or proxy settings that are locked through group policy), I would say, this depends on the circumstances. Imagine you are working with some very confidental data, like defense information. In that case, its resonable to require that even your home computers are part of the IT Policy on the job, even if you wouldn't work from home, thus meaning that you aren't allowed to visit any "prohibited" sites from home either. The reason is the high risk of confidental information leaking. The risk of confidental information leaking in that case is very high. Think you accidentitially write a work-related note on your home-computer without thinking, lets say a reminder, and you don't realize its something bad on your computer that leaks this. Thats why its resonable for a workplace to require your computer to be part of their DLP and virus scan solution. - If you don't like it, quit your job. Simple as that.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • "never be worried" is incorrect. The addition of any trusted cert to his home machine root truststore opens OP up to be mitm to any site, by the controller of the private key of that cert. Since he has no visibility into the quality of controls IT exerts over that signing key, it is possible it could be compromised, and used to issue bogus certs for any site. We've seen laptop manufacturers get burned by this, by including their own support cert before. – JesseM Feb 23 '17 at 04:13
  • @JesseM You can't really compare those. In that case, the private key was available for anyone to pick, and the cert existed on many computers. In this case, the cert exist on a few computers (only employees of the corp in question) and is securely stored on the security appliance used by corp. The risk surface is substationally different, and I would say "never be worried", because first, evil person must get the privkey, then be able to target a employee of the corp in question, and then be able to get in a "mitm" position. – sebastian nielsen Feb 23 '17 at 06:00
  • "If you don't like it, quit your job. Simple as that." -- There are really a ton of things that can be done to keep your work IT department out of your home networking environment. None of them are actually particularly complicated or expensive. Your conclusion is crass and unhelpful. – trognanders Feb 26 '17 at 01:20
  • @BaileyS What I meant with that, is that the OP shouldn't try to work against or try to circumvent the limitation. If the employer says that the IT Policy is in effect regardless which computer you use, then you gotta obey that, even if that means you can't visit which sites you want on your free time at home. Imagine otherwise, that the OP violates the IT Policy, and then confidental data leaks due to that. Then OP could be sued for the violation. What I meant is, that if you can't handle that the employer can see what you do on your home computer - quit your job. Dont try to bypass it. – sebastian nielsen Feb 26 '17 at 01:39
  • 1
    @sebastiannielsen Simply using a second computer that is exclusively for working from home would provide excellent protection of privacy (most households have multiple internet connected devices anyways), not in any way circumvent an IT policy, and would be significantly cheaper than finding a new job. At least in the US, it is reasonable to expect that your employee does not spy on you at home. – trognanders Feb 26 '17 at 09:58
  • Just buy another computer, unless you really want to quit your job. Or setup a "work VM" if a new computer is too expensive. – Mike76 Mar 05 '19 at 20:28