0

I wanted to find out whether my company can see what I'm posting online as soon as using websites using a valid https certificate.

I know there are a lot of posts here about whether my company can find out which URLs I've visited. Now I wanted to find out whether I'm being intercepted by the proxy-server we use (we have a computer-wide proxy-server in place which is also used for webbrowsing) by means of "faked" https-certificate.

IMHO my company doesn't use such a procedure, but I just wanted to confirm it by some experts on here.

When I'm browser to https://security.stackexchange.com on my companys laptop in firefox, the certificate-hirarchy looks completely identical to the certificate-hirarchy showing in Chrome on my home computer:

enter image description here

Even the certificate fingerprints and serial-numbers are completely the same.

Is my understanding correct that:

  • Even though we are using a proxy, it is sufficient to check the certificate hierarchy and when it's the same inside the companys network and in my home network, I can conclude I'm not being sniffed the inputs I do
  • The procedure of the proxy-server to "insert" a faked https-certificate, in case there would be such a system in-place, would probably be made system-wide. That means, as I only compared the certificate-hierarchies on a few domains now, it should mean such a procedure will highly likely not be in-place at all, also not for any other domain?
  • That means the only way to track my inputs, would be to use some sort of keyloggers? (Which is probably not possible / allowed by law anyhow (living in germany)).
  • From what I gathered from the other posts here on stackexchange, they can obviously save from the logs which URLs/hostnames I have visited. They question is: Do they see the full URLs or only the hostname / the target server? Because it could potentially do a big difference whether I visited some reddit page about how to setup some software or some reddit page about po*rn :D Obviously I won't visit these, just frmo a technical POV I want to know what's possible here.

Thanks in advance!

tim
  • 851
  • 7
  • 13
  • Unfortunately you merge several mostly independent questions into a single one and several of these questions already have answers here. That's why I've marked your question as duplicate of some of these. I recommend that you instead ask the parts which are not handled already at this site as (multiple) separate questions. – Steffen Ullrich Jan 09 '19 at 09:37
  • Obviously I was confused by all the answers and wanted to ask the question w.r.t. my usecase / example. Unfortunately you turned the question down instead of letting me get a validation. So probably I gotta to and ask in some forums to make sure my understanding is correct. – tim Jan 09 '19 at 10:04
  • 1
    *"__Obviously__ I was confused ..."* - nothing in your multi-faced question suggested to me that you were confused by existing questions. In such a case I would expect that you to reference the questions you were confused of and highlight the specific parts which you don't understand. But to help you a bit further: it is possible to only intercept selected sites and thus looking at the chain of only a single site is not enough. Also there are several ways to monitor what the user is doing apart from plain keylogging and https interception. – Steffen Ullrich Jan 09 '19 at 10:18
  • "But to help you a bit further: it is possible to only intercept selected sites and thus looking at the chain of only a single site is not enough." Okay thanks. Im working in a very very very big company, I'd say hopefully they don't stuff like this, even if its technically possible. But Ill monitor a few pages in the future, thanks for the hint :) – tim Jan 09 '19 at 12:39

1 Answers1

3

Even though we are using a proxy, it is sufficient to check the certificate hierarchy and when it's the same inside the companys network and in my home network, I can conclude I'm not being sniffed the inputs I do

You can conclude that you are not sniffed for this specific site and this specific time only.

The procedure of the proxy-server to "insert" a faked https-certificate, in case there would be such a system in-place, would probably be made system-wide. That means, as I only compared the certificate-hierarchies on a few domains now, it should mean such a procedure will highly likely not be in-place at all, also not for any other domain?

It is possible to intercept only selected sites or only at specific times or only specific clients (based on ClientHello fingerprint) or to explicitly not intercept some sites. Thus it is not possible to conclude from one site not being intercept that other sites will not get intercepted too or even that the same site gets not intercepted at another time or with another client. You might check if you find some unusual root certificates in your certificate store but these are not that obvious to detect.

That means the only way to track my inputs, would be to use some sort of keyloggers? (Which is probably not possible / allowed by law anyhow (living in germany)).

There are several ways to monitor users apart from keyloggers and HTTPS interception. For example browser plugins could be used or simply the whole system could be mirrored similar to remote desktop software.

From what I gathered from the other posts here on stackexchange, they can obviously save from the logs which URLs/hostnames I have visited. They question is: Do they see the full URLs or only the hostname / the target server? Because it could potentially do a big difference whether I visited some reddit page about how to setup some software or some reddit page about po*rn :D Obviously I won't visit these, just from a technical POV I want to know what's possible here.

Only the domain is known and not the full URL. See Are URLs viewed during HTTPS transactions to one or more websites from a single IP distinguishable?.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • "...on this specific site.": I'd add "on this specific visit". At least one cheep in Scotland has at least one black side. – Anders Jan 09 '19 at 11:12
  • 1
    @Anders: right, one cannot conclude from a single visit to other visits to this site. I've adapted the answer. – Steffen Ullrich Jan 09 '19 at 11:18
  • Thanks for your answer. Regarding "For example browser plugins could be used or simply the whole system could be mirrored similar to remote desktop software." -> Mirroring the whole system, you mean that somebody would "watch" my action? In case, then this would at least not a way to "automatically" monitor what I type etc, because this would mean they needed to OCR the mirrored screen-pictures. And I checked Extensions and Addons in Firefox, there's nothing installed apart from Wivedevine & Acrobat PDF Plugin. – tim Jan 09 '19 at 12:28
  • 2
    @tim: This is not simple screen scraping. Remote desktop software usually transmits keyboard and mouse changes as separate events in addition to changes on the screen. This might also include sound etc. In any case: if you are in Germany than this kind of invasive access is usually not done. Although in some use cases like managing of customer systems from remote this might be done to have an audit trail. In any case: check your work policy and contract to what is allowed and what gets monitored and don't deviate from the policy just because you think nobody will notice. – Steffen Ullrich Jan 09 '19 at 13:04