3

I don't have strong skills about this matter but I am very curious about the following communication so may I ask:

One institution sent a message to all network users saying that "all requests to the internet which are encrypted will be decrypted and then re-encrypted at firewall level". So my questions are: is this possible?! And how?

Examples are given: Google, Facebook, LinkedIn, ... which use encrypted connection. And also examples that stay out of this mechanism: sites tagged in the "financial" category.

If the keys are only shared by my computer and the website, how can the requests be decrypted? The institution is big and has resources, but I cannot imagine the firewall breaking the keys in run time for all requests.

I see that there are companies selling "SSL Decryption and Inspection" services.

Can someone explain me how this work please?

dxvargas
  • 133
  • 5

2 Answers2

5

There are lots of information about this topic on the internet and on this site, so it does not make sense to repeat everything:

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

Your organization is most likely using a man-in-the-middle ssl cert. They have a program or proxy setup to authenticate your certificate as valid then submit another certificate to the website on your behalf. This is common for companies that must rely on pci or hipaa compliance. Unfortunately, when this is done then your passwords are exposed by this type of security measure. I would think twice before checking your bank account balance or any sensitive type of websites.

Laney Ross
  • 36
  • 1
  • Yes that is what I understood by reading the links that @Steffen Ullrich gave before. It is always better to have the answer here, rather than in given links, so I will choose this as the right answer. – dxvargas Mar 26 '15 at 08:49
  • If there is a "man-in-the-middle ssl cert", how can the Certificate have the original data? For Google, the shown certificate has this Issuer: "CN = Google Internet Authority G2; O = Google Inc; C = US". I am talking of a legitimate institution, so I don't believe they are forging illegal certificates. Shouldn't the certificate that I receive be from my institution? Maybe I should post a new question but nevertheless I guess it can also be here as a comment. – dxvargas Mar 26 '15 at 09:28
  • If or when this measure is implemented, I suppose the certificate will be different, right? – dxvargas Mar 26 '15 at 09:40
  • 1
    With most SSL intercepting devices the content of the certificate will not change. Instead the content (which is public) will be used to create a new certificate with a different public key and this certificate will then be issued (i.e signed) by the man-in-the-middle CA. This CA has to explicitly added to the browser or the browser will complain about an unknown (and thus untrusted) CA. – Steffen Ullrich Mar 26 '15 at 14:55
  • @SteffenUllrich But then the browser would show that CA as the certificate authority (e.g. "issued by"), right? – Ajedi32 Mar 27 '15 at 18:46
  • It's important to note that the only reason they are able to do this is that they have full access to the computer you're using to access the internet. If you were to, say, connect your personal laptop to a public wifi network, the network operator would not be able to do what this institution is doing here. – Ajedi32 Mar 27 '15 at 18:48
  • @Ajedi32: Yes, if the user knows how to view certificate details then (s)he might get notice the different issuer, although one could also add some more intermediate certificates to fool some users. And yes, the proxy CA needs to be trusted by the browser already which is usually done in companies by central settings for computers owned by the company. – Steffen Ullrich Mar 27 '15 at 19:37