-1

The firm I'm working for has installed a "spying" software on my computer which intercepts my https traffic. No hard to understand how it works, it's something like mitmproxy, which signs on the fly false certificates using a false certificate authority which has been previously silently installed on my computer.

BUT:

  • Google Chrome proxy settings are empty
  • and the address of the default gateaway of the network manager haven't been changed.

SO how do they redirect the https traffic to the mitm proxy?

peterh
  • 2,938
  • 6
  • 25
  • 31
Bonjour123
  • 107
  • 2
  • 3
    Why do you think they need to redirect the traffic? If you are inside the company they are in control of the gateway and thus the gateway might be the firewall doing the SSL interception itself. – Steffen Ullrich Mar 19 '19 at 09:02
  • No, it's a special program that you install on your computer. I know the name of the product, how it works for all the rest. It's local, and if you need a proof,even on another network, it still works. Plus, as I said, it installs the false CA, I can see it among all legit GoDaddy, Komodo, ... and else. I was more thinking of something like a network driver, would this be possible ? – Bonjour123 Mar 19 '19 at 09:31
  • If it is a local program than it could just intercept the traffic locally. That's what antivirus products do to which often also intercept SSL traffic. Therefore marked as duplicate to a question which asks how AV do this. – Steffen Ullrich Mar 19 '19 at 10:42
  • Thanks Steffen, found the solution in the duplicate :) – Bonjour123 Mar 19 '19 at 11:18

2 Answers2

1

They don't need to install a spyware on your computer.

The only defense of the https against mitm attacks is that visiting the site of example.com, no one should be able to create a valid cert for example.com, only the owners of example.com.

This can happen because all the root CAs (essentially, the "root" certs which certificate the ordinary per-domain certs) are only included into the default list of most browsers, if the company/organization behind the root CA guarantees this.

However, in theory anybody can create a root CA (for example, with some openssl commands), and then create "valid" certs for any domains he wants. The problem is only that the browsers won't accept it as a valid cert, as this "home-created root CA" has no chance to ever be included in their default root CA list.

Here is coming your wonderful employer. He, being your employer, can "ask" your browsers to accept his own cert as a valid root CA. This requires only some clicks in any browsers.

After that, he can make MITM attacks against your traffic on the way, that any time your browsers wants to connect a https:// site, the routers intercept the traffic, generate a per-domain certificate for that site (by their own root CA). Then decrypt your traffic, and forward it to the original site as ordinary https requests. If your employer is doing this, is easily visible if you check the security properties of the site. If you see that the site certificate was created by your employer, or at least by a different root CA what is visible from the external network, then you are MITM-ed.

This is highly against any security standards and means also a major privacy problem (for example, if you are using your online banking, they get infos what they should not have), but sometimes it might be legal on company machines.

They don't need to install any complex software on your PC, they only need to install their own root CA. If there is some software by you, probably it only works on to hold that root CA continuously accepted on your browser or maybe alarm if it is somehow removed. The essential part (the traffic eavesdropping, https re-ecnryption) is working on your firewall/router.

The best way to defend against this: embedding your real https traffic into ordinary requests (for example, make it looking as if you would check a wikipedia mirror, or some technical documentation), and hide the real content with steganography. It requires an external server helping you, and looks like an ordinary content provider. I don't know about that such a tool would exist, but developing one is possible and it isn't even very hard.

peterh
  • 2,938
  • 6
  • 25
  • 31
0

They could just have installed a root certificate, and intercept the https traffic later (by later i mean not on your pc)

El Void
  • 3
  • 2