I know my company is testing something called "SSL Inspection" based on Websense, which is our proxy. I can not provide more detail about this, but does this mean that in principle all my SSL traffic, for example my web bank password or security PIN, could be actually read by WebSense ?
-
1I'v already answered, but felt I should clarify something - are you asking if Websense (the makers of the monitoring tools) can read all your data, or if your employers can read all your data? – Graham Hill Jun 13 '12 at 12:41
-
1Thanks, my concern is mainly with my employers. I also think that the users should be informed about this, even if I doubt it will be done in my company. Because, as you said it's like a "man in the middle" attack. If you don't inform me, I don't see really so much difference with respect to a "true" attack. – castigli Jun 13 '12 at 21:21
-
2Ah, but it's their computer and their network: they can do what they like with it. – Graham Hill Jun 14 '12 at 09:23
-
4@GrahamHill, depending on the jurisdiction, the employee council must agree and the employees must be informed. – Hendrik Brummermann Jun 15 '12 at 13:00
5 Answers
Yes, SSL Inspection is essentially a man-in-the-middle "attack" (except it's not really an attack since it's being done by the infrastructure owner) with the intention of being able to read all traffic originating from your company machine or crossing your company network, even if SSL is being used.
Consequently, you should not send anything from your company issue machine, or over your company network, that you do not want your corporate security team to read.
(Which is a good general rule in any case.)
Some other points to bear in mind:
- A reasonable company will not care about your personal data.
- An ethical security team will go to some lengths to avoid seeing personal data
- A sensible company will have documented what they will and won't do - see what's been published.
- There is a small but non-zero risk with any such system that a real attacker will compromise the monitoring system.
- There are other methods available to a corporate security team for monitoring computer use - they can deploy keyloggers, for example.
If an organization has to implement a robust Data Loss Prevention system, they're going to have to look at everything - so even though they are implementing SSL Inspection it doesn't mean they have evil intent. Not much fun for their employees, of course, which is why transparency is so important.
- 15,394
- 37
- 62
Yes. With that configuration WebSense can decrypt and analyze data. Here is what WebSense does as a proxy with ability to inspect SSL connections.
Certificate validation ensures the following
- Certificate is not expired
- Certificate is not revoked
- Certificate owner and URL have the same identity
- Certificate is issued by a trustworthy CA
Network Security Administrator has the power to decide which site to be allowed not the client.
- Any decision about the trustworthiness of a certificate must be made solely by the security administrator.
- Any exception to the rule can only be made and allowed by the security administrator.
- The user of a client workstation can only request exceptions, but not make them.
Control over data transmitted
- Data can be decrypted and hence inspected for malware.
- 890
- 6
- 12
-
I understand these needs, but I would like to have proof that all the decrypted data are not stored anywhere, nor can be obtained by the people operating the system. – castigli Jun 13 '12 at 21:29
-
That would be specific to your setup. The administrator might configure the device to log with debugging level that might contain html content and user data. – Majoris Jun 13 '12 at 21:48
Some Security.SE links on this site that may help you:
- 50,090
- 54
- 250
- 536
-
Thanks, it seems I have to do a lot of homework. I was a little naive to hope SSL would protect me in any case. – castigli Jun 13 '12 at 21:31
-
@castigli Consider also that there are other approaches an employer can use to monitor use that do not require SSL inspection, such as deploy a keylogger. – Graham Hill Jun 14 '12 at 09:25
When a company uses a proxy to inspect employees' ssl communication, they forge the target (e.g. your bank) certificate so that the employee thinks that he/she communicate with the bank but in actuality he/she communicates with the proxy and the proxy in turn comminicates with the bank. The proxy uses it own root certificate for the employee-proxy route.
When you try to login into your bank account from your company computer, the following takes place:
- the login request uses the company's certificate to encrypt the message and send it to the proxy.
- The proxy, after decryption and inspection (and this can be done since the certificate is generated by your IT dept and they naturally have the private key required for decryption), "repackages" the message and sends it to the bank.
- During (2), the proxy returns to you the bank login page so you think that you are connected directly to the bank. You might see the lock icon, but this is a fake - it is generated by the proxy's certificate.
- During the inspection phase, the company can read your login details in the clear.
However, you can still connect to your bank in a secure way:
If you use your own computer on a company network, then when you get the bank log-in page look at the actual certificate shown to you (normally by clicking on the lock icon), and compare its fingerprint to a fingerprint you got through another communication channel (e.g. collect beforehand the desired fingerprints at home and write them on a piece of paper). Fingerprints can not be spoofed by a proxy.
If you use company's computer, you may still want to compare fingerprints but remember that this is not your machine - the company might have installed all kinds of sniffing software/loggers. Don't do highly sensitive stuff on hardware + software that you don't fully control (trust issues of the OS or device drivers is a big subject for another discussion though...)
- 191
- 2
Although the data you send is decrypted it is not possible for the IT staff to actually view the data you have sent, the only thing that is looked at is the web address.
- 1