4

We've just implemented a proxy that decrypts all SSL traffic in order to classify and scan it. Naturally a lot of our users feel concerned. We're a small company (100 users) owned by a big company (5000 users). What we hear internally is that "other companies doesn't do this". I think that this is the de facto standard for all major companies but I really don't know. Please elaborate your views, is this an exception or the de facto standard for companies (albeit primarily large, which we are counting with our parent company)?

Oh, we use proxy appointed by auto discovery but are about to block http/https bound traffic in firewalls. Yes, I know many ways to circumvent this and we will not be doing the cat and mouse game because I don't see how one can win that.

user135361
  • 41
  • 2
  • 2
    Not in civilized countries. – CodesInChaos Nov 25 '14 at 14:34
  • 1
    Common? No. Unexpected? No. You can imagine that a military contractor would use these methods. – schroeder Nov 25 '14 at 17:41
  • with more attackers using ssl to hide their malicious activities, I can foreseen more major enterprise deploying SSL decrypting to analyze the traffics in the next 1-2 years. – hoa Nov 26 '14 at 15:22

3 Answers3

5

"SSL decryption" (through a firewall-controlled CA and on-the-fly MitM) is a feature offered on most "expensive" firewall appliances, so one can say that most big companies can deploy SSL decryption. Whether they really do it is another matter. Common reasons for not using that feature include:

  • Legal concerns. In many jurisdictions, employees are allowed some level of personal usage of the company-provided computers (in the same way that people can use the company phone for short personal calls), and snooping on a communication between the employee and his bank or physician would be food for litigation.

  • Compatibility. Many "SSL decryptors" do a somewhat flaky job; e.g. the fake server certificate that the client browser sees contains a 1024-bit RSA key that triggers warnings, or CRL/OCSP for that certificate is not properly supported. And, of course, that MitM breaks client certificates (e.g. smart cards).

  • User resistance. Users simply don't like the idea of their SSL data being inspected.

That last point is interesting. Firewalls that do SSL decryption use a special CA and on-the-fly fake server certificate generation for ease of deployment, but this is hardly the only method to do it. On a company-controlled office computer, the sysadmin may perfectly well install locally some software that hooks with the SSL libraries and inspects data as it flows, outside of the SSL protection. Most antivirus software do just that; and it does not cause so much user fretting. Therefore we may say that what users don't like is not that their data is inspected; what they really abhor is knowing that their data is inspected. Ignorance is bliss.

Personally, when I see such a "SSL decryption" system put in place, my first thought is not "OMG they are looking at my SSL !" but rather "At least they are open about it".

I don't have stats -- I think nobody has, except possibly appliance vendors, but they don't tell (honestly, who wants to say: "my product has a nice feature that nobody uses" ?). But my feeling and experience tell me that company-wide SSL decryption through a visible firewall-controlled CA is still something rare, whereas hidden, transparent inspection done directly on the client machine is highly prevalent. The "fake server certificate" method will become more common in the future, because it makes it much easier to support content filtering for user-provided devices (even if not going full BYOD, companies that provide a complimentary "external" WiFi for their employees prefer it when even that non-privileged network does not become a cesspool of malware and videos of questionable legalities).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Since every major enterprise firewall offers this and even free software like squid can do this I think intercepting with a company wide CA is actually quite common. And since more and more gets encrypted I don't see alternative to it if you need inspection at perimeter firewalls (which you usually need). – Steffen Ullrich Nov 26 '14 at 05:42
  • Thats exactly my thesis, it being very common in large IT corporations. – user135361 Nov 26 '14 at 11:59
2

For what it's worth, I'm on the enterprise security team overseeing half a dozen major companies that we own (mostly in USA), totaling over 10,000 employees, and we don't employ SSL decryption anywhere. A technique like that isn't even on our radar.

armani
  • 2,658
  • 19
  • 20
  • Thanks, good to know. How do you restrict https connectivity, normal ip based access rules in firewalls? – user135361 Nov 26 '14 at 11:56
  • All HTTP and HTTPS go through a web proxy that performs filtering and blocking by IP, URL blacklist, and I think request types (like downloads of 'exe' files and such) – armani Nov 26 '14 at 19:39
1

I believe it depends on which industry you are in. It might be justified if the company has lots of proprietary content which they are afraid of competitors getting their hands on. Some companies even have policies forbidding the use of internet for non-work related purposes. Therefore, if you are using the internet solely for work purposes, decryption of SSL shouldn't matter to you.

Of course, it is important to tell the employees outright so that if they are uncomfortable with it, they can choose to use their own 3G/data plan for personal surfing.

Link to article on a financial services firm that decided to decrypt SSL : http://www.networkworld.com/article/2161439/network-security/ssl-decryption-may-be-needed-for-security-reasons--but-employees-are-likely-to--fre.html

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
  • Lots of proprietary content. Largest player in its field. Dealing with financial transactions in gambling industry. – user135361 Nov 26 '14 at 11:57