Every time I try to connect to a site through HTTPS from my office computer, there is a Certificate Error thrown 2-3 times before showing the login screen. Till now I use to ignore this and click continue. But recently one of my collegue told me the possiblility of Man in the middle attack.
All I want to ask is, is it possible for them to track my passwords or account details by such method?
UPDATE: They are replacing the Certificate. For now, I activated 2-factor auth in Google.
Yes. Certificates are basically a public key with information about the owner attached to it. They can be signed by an certification authority to confirm that the owner information is correct. There are a number of certification authorities already present in your browser.
You get the warning if the certificate, the server shows you, is not signed by a certification authority, your browser trusts (or is invalid for other reasons).
A man in the middle will trick you to accept his own public key as server key, so that he can use his private key to decrypt everything you send to him. He will then re-encrypt the information and pass it on to the real server.
There are out of the box security solutions, that work this way to scan the https traffic for virus and sites that do not comply with the company guidelines of acceptable use. They dynamically generate keys for the servers you want to talk to and sign them with their own certification authority.
In most cases the administrator will install the certificate of the company certification authority as trusted on all company computers, so that there will be no warning.
Paying attention to the names of the certification authorities in the chain of trust is likely to reveal such systems, unless the administrator put a lot of effort into hiding it by creating different local CAs with matching names.
There are more details at Can my company see what https sites i went to?
Yes, there is such a possibility and it's pretty probable. In your case the best way to be sure is to compare the certificates advertised by a website you use from two separate locations.
Say, if you're a Gmail user, when at home, navigate to https://mail.google.com, click the padlock icon or a green bar to the left of website address, and view certificate details. Look for who issued the certificate (in other words, who is the Certificate Authority - CA). For example - CA for mail.google.com is Thawte.
Also, note the SHA-1 key hash of the certificate (it's a long string of numbers and letters). For mail.google.com this should be "68 AC 69 DF BE 72 B3 0D 08 0E 54 10 84 FD 78 91 FC BD 6D 9B".
Browse to the same website when at work and just compare if you're seeing the same certificate. If not, technically you're under Man-In-The-Middle attack. The most probable reason is that a proxy server installed in your work environment do enforces SSL decryption to be able to monitor traffic (so technically they can read your passwords, session ids and all the data that's coming through).
If that's the case you'd have to check with your administrator and ask him if it's possible to turn it off. Also check local laws if that is legal, but I suppose it is (it is in my country).
SSL errors could also mean that your computer date is wrong - if it's too far in the past or future (like a year), that would make some of the certificate expired or not yet valid.
Also, you might have a virus infection that tries to decrypt the traffic. Or someone else (your colleague) at your work is trying ARP spoofing attack to monitor your traffic. There are many possibilities, but certificate errors on sites you regularly visit is definitely something to worry about.
2-factor auth in Google is not going to help you.
Your company wouldn’t look for your authentication parameters (username/password); rather they would try to prevent/recognize information leakage from the company (see Wikileaks). But if you work SSL end-to-end (like with gmail) company can’t monitor your traffic, so they have to do SSL termination in the middle (or MITM). Now even if you do 2-factor auth in Google they can still do SSL termination and monitor your traffic.
Usually companies will have formal policy for Web monitoring. For example it’s common that financial/healthcare/government institution will be excluded from such monitoring. Also there are some legal regulations for it. From what I know it’s illegal to monitor healthcare related traffic in France.
So I would suggest you to go to your IT/Security department and ask them what traffic get monitored and what doesn’t.
Aaron
Who knows. You'd have to pay attention to the actual errors.
The most common problem is simply that the clock is off. HTTPS requires your computer's clock and the webserver's clock to be somewhat synced up. If it's a year off, for example, you'll get a string of errors like that.
The specific error you are looking for is checking that the name of the website in the certificate matches the site you are going to, and that it's been signed by legitimate certificate authorities. A good test site is https://www.google.com.
