7

Like for instance login into my bank account or knowing what information do I submit via HTTPs?

I'm not sure what proxy server do we have.

squillman
  • 37,618
  • 10
  • 90
  • 145
OscarRyz
  • 384
  • 1
  • 7
  • 15

2 Answers2

12

Absolutely. Several enterprise-level proxies support re-encrypting the connections your browser makes using a corporate certification authority. Essentially the administration team can push out a certificate to your workstation via group policies, and add it to the list of trusted authorities. The proxy then has the private key corresponding to that certificate and generates a certificate for each hostname on the fly. Then when your browser connects the proxy uses HTTPS to connect to the destination, but then encrypts the actual tunnel to your browser using the aforementioned certificate and private key.

There's also open source and free proxies capable of this interception (which is just an MITM attack made easy by the administrators having access to the trusted certificate list on each workstation).

Edit: You can detect this by inspecting who has signed the certificate for each HTTPS site, but the name can even match existing certificates so you'd have to compare the fingerprint to a known good one of each certificate authority.

Luke
  • 628
  • 1
  • 7
  • 14
  • 1
    +1 for accuracy. It IS possible. The Cymphonix network composer does this. http://www.cymphonix.com/ – Josh Brower Aug 27 '09 at 00:53
  • 2
    That's not a proxy-- that's simply evil. – Evan Anderson Aug 27 '09 at 00:54
  • In many cases you need to do it for compliance purposes. I successfully fought against the practice with our security people, and only won because their argument was based on malware protection. – duffbeer703 Aug 27 '09 at 01:18
  • +1 for accuracy as well, although I still stand behind Evan... – squillman Aug 27 '09 at 01:32
  • Agreed, evil. I haven't seen any compliance-based circumstances requiring something like this, but I'm only familiar with SOX and PCI (thankfully). – Luke Aug 27 '09 at 01:33
  • Useful in high security environments, as the data in both directions can be monitored for security purposes. I'm aware of several systems that have such proxies. At the same places users go through some really tough security measures as well, both coming and going. Reality: Sysadmins are NOT the most paranoid people on the planet, despite the way we are perceived. – John Gardeniers Aug 27 '09 at 02:59
  • 2
    As SSL is a big gaping hole through the perimeter defense, bridging and inspecting the actual traffic through it is definitely a security matter imho ^^ Inspecting outbound SSL (content you serve) with this approach would be the more common case though. – Oskar Duveborn Aug 27 '09 at 06:11
0

Generally not (see my edit below). HTTPS is encrypted end-to-end-- so your PC itself is doing encryption and decryption, as is the server computer on the other end. Everything that's on the wire is encrypted, so the proxy server computer is just seeing ciphertext flowing by.

Now, with that keylogger that the IT department installed on your PC... >smile<

Seriously, though, if someone else administers the machine you're using to access sensitive web sites they could have software or hardware installed on the PC itself to monitor you. I don't know how much you trust your employer, but I don't access sensitive web sites like banking from computers that are administered and/or owned by others.

Edit:

Gee-- I wish I'd gone ahead and typed that paragraph that I was thinking about adding re: a proxy that does an automated man-in-the-middle attack, 'cuz I guess there really are shady products out there that can do that! Craziness.

Apparently there are devices that can execute automated man-in-the-middle attacks against SSL. They require a CA certificate to be installed on the "victim" client computer since the proxy will, by definition, be minting fake certificates for every HTTPS site it tries to intercept communication to.

I'll stand by my statement above: Don't access sensitive web sites from comptuers you don't administer / own. In the case of one of those evil "man-in-the-middle" proxy servers that Luke mentioned in his post, your personal computer wouldn't have the necessary certificate authority certificate loaded for the proxy server's CA, and thus you'd get a warning in your browser that the web site had a certificate issued from an unknown CA.

The thought of such a product gives me a bad taste in my mouth. The only utility I can see in such a device is spying on users.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • And to add to Evan's point, because the proxy can't read it it therefore can't log it either. Don't get me wrong, you'll get log entries, but you will only get something like CONNECT remotesite.com 443. You won't even get full URL path information (at least from some proxies, not sure about all but I suspect so). This is because the HTTP headers are encrypted in the SSL ciphertext. – squillman Aug 27 '09 at 00:46
  • 1
    There are non-evil applications for this type of Proxying: Network Security Monitoring (http://taosecurity.blogspot.com/2008/05/nsm-vs-encrypted-traffic-plus.html) – Josh Brower Aug 27 '09 at 01:22
  • I say bah to anything doing this as being non-evil. My +1 remains here. – squillman Aug 27 '09 at 01:32
  • Your +1 remains here? I think it's pretty evil to use an SSL-intercepting proxy too, but my answer was certainly more accurate. – Luke Aug 27 '09 at 01:33
  • @Luke: Yes, Evan edited so it's technically more accurate now than it was. I gave you a +1 as well... sheesh. – squillman Aug 27 '09 at 01:41
  • Sorry squillman, I wasn't griping about the votes per se - just about voting for the answers that are more pleasant as opposed to correct :-) My bad! – Luke Aug 27 '09 at 01:43
  • All good :) I'm a little huffy right now as my kids have destroyed their bedrooms...... – squillman Aug 27 '09 at 01:47
  • There's nothing pleasant about an automated man-in-the-middle attack, to me. – Evan Anderson Aug 27 '09 at 02:28
  • "Don't access sensitive web sites from comptuers you don't administer / own." If the computer is a domain computer, the certs can be pushed out silently via gpo without you knowing. Only tunnelling traffic to an external proxy will make you safe. – Ryaner Sep 24 '09 at 11:55