11

I have just discovered that my workplace has enabled some new features in the Blue Coat network proxy. It seems like all HTTPS certificates in Chrome on Windows are being issued by this internal server. Under connection I only see: "The identity of this website has been verified by" this is an internal IP and not the "The identity of this website has been verified by Google Internet Authority". As I do when not running the on the corporate network or on my Ubuntu VM.

As Chrome allows this proxy as CA, everything seems okay, but this also makes me worry a bit. Are they actually doing a man-in-middle where they can look into my communication?

How can I eventually set which CA I want to use? Can I use more than one?

Vilican
  • 2,703
  • 8
  • 21
  • 35
dylf
  • 123
  • 1
  • 1
  • 5
  • 2
    Is your Ubuntu VM on a machine that's on the corporate network? If so, it sounds like they're not *enforcing* the use of the BlueCoat proxy. – Ladadadada Apr 08 '13 at 18:49
  • 1
    Just a note to help you out - in future, rather than cross posting you can hit the "flag" link underneath, select "needs moderator attention" and ask for the question to be moved. A nice moderator will then shift it for you :) All existing answers etc will move with the question. –  Apr 08 '13 at 18:50
  • @AntonyVennard thanks. Still new to this platform, sry to to comply... – dylf Apr 08 '13 at 19:46
  • @dylf no problem, that's why I pointed it out :) You'll soon pick up the norms etc. Welcome to Security SE! –  Apr 08 '13 at 19:49
  • @Ladadadada Yes, it seems like it is not enforced. Which is kinda strange... – dylf Apr 09 '13 at 05:51

4 Answers4

12

As other answers have already covered, Blue coat (amonngst other security products) have the capability to intercept SSL sessions for users on the network, to inspect the traffic.

What your company can and cannot do with this information depends on local laws and potentially the contract you signed when you joined the company.

If you have sufficient privileges on your local machine you may be able to remove the bluecoat CA from your trusted CA list, however all that would do would be to produce warnings in your browser as the sites you visit would then appear to have untrusted certificates (i.e. the traffic interception would still happen).

If you're concerned about what your company are doing with the information then you could try speaking to a security or privacy officer (or potentially HR) to see what the company policy is on the matter, but ultimately the only way to avoid the interception would be to use a device/connection that's under your control.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
2

Although I agree with the technical aspects stated by others and leaving the legal opinions to others, there is a obvious failure within the TLS implementations to deliver a secure connection to the end-user.

There is NO technical difference in a "legal" and an "illegal" man-in-the-middle attack and the end-user should be clearly warned about the situation.

jwilleke
  • 221
  • 1
  • 6
2

It's common practice to do this and they are indeed doing a kind of man in the middle. Blue Coat works as a proxy, but also inspects the websites you are looking at (refer to https://kb.bluecoat.com/index?page=content&id=FAQ463). Considering you are working on their network, they have the right to do this. Do note that Blue Coat is a tool often used to:

  • prevent users from downloading or visiting bad links
  • content filtering
  • Data Loss Prevention (for instance sending corporate documents to your private gmail)

The SSL proxy is actually used for the second and last one to my knowledge, I'm not sure about other possible uses. Do note that, depending on the country you live in, there are strict rules on how this data must be handled. But as said before, it's not your network, your employer can actually do this as it is probably contained within your contract.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • 2
    no, it depends on jurisdiction and contract terms, whether the employer is allowed to do it at all. Let alone without consent. in most cases consent for such stuff is folded into something else you signed. – ewanm89 Apr 08 '13 at 18:50
  • 1
    My employer uses bluecoat both as a content filter and for DLP. They also have an SSL whitelist that allows financial/medical/govt sites to be accessed without being snooped (caveat; I've never actually visited my banks from work so I don't have any info on how extensive the list is). – Dan Is Fiddling By Firelight Apr 08 '13 at 19:51
  • I have looked into my contract and the privacy policies issued by my employer. They state that the internet traffic is "monitored to prevent unwanted and malicious traffic". Though not mentioned anything about luring private connections to eg gmail. – dylf Apr 08 '13 at 20:07
  • 1
    there you have it, they are doing content filtering. – Lucas Kauffman Apr 08 '13 at 20:08
  • 1
    The effect of such MITM filtering/snooping is usually people bringing mobile devices (BYOD) and using those instead.Security is actually weakened by this approach. – foo May 02 '13 at 04:31
  • @foo if you're using your own device with admin permissions, you're employer is not able to install CA's on your mobile device thus rendering this kind of attack unusable. (except your employer is using some of the BYOD technologies provided by the device vendors a.k.a Samsung Knox on Samsung Phones or Active Directory on Windows devices) – Sebi2020 Sep 25 '21 at 12:10
  • @Sebi2020 First off, CAs on a mobile device don't make much sense; so let's talk about certificates instead. For BYOD, the employer isn't able to install certificates without the device owner's consent (which is good), but the owner is.The employer can thus provide certificates to users just like they would be providing access cards or keys - and the users decide on which device to install them. – foo Sep 25 '21 at 19:46
  • @foo I think you knew what I've meant by "CA's", but okay lets be over meticulous, "CA's certificates". I just wanted to point out that man in the middle attacks with TLS are not possible without the help of the device owner (in the case no BYOD device management service runs on the device). – Sebi2020 Sep 26 '21 at 18:40
0

You are using your work machine. Your employer has every right to perform a MITM on you. There are legitimate reasons for doing so.

If you want to avoid this, use your own machine for personal stuff and use your work machine strictly for work.

  • 8
    Might be better to say "your employer may have a right to perform a MITM on you depending on local laws in your jurisdiction and the contract you signed when you joined the organisation" – Rory McCune Apr 08 '13 at 18:25
  • 1
    according to local danish law your private mails are considered as private. Also if the private mails are stored in your corporate inbox. Follow this link to a danish lawfirm that is explaning this. http://bit.ly/16IRKqE – dylf Apr 08 '13 at 20:19