Am I secure from network monitoring software if HTTPS is used?

I will be logging into my bank account and my personal email accounts at work. Its not banned at work, but I just don't want them to save/log a copy of whatever I do with these services. Especially my passwords.

If the service uses a HTTPS connection, will my company be able to track/save/log my passwords, that I use for these services? what about the contents of the pages?

Again, rules in my company don't ban usage of my personal email account or internet banking services, but I just don't want them to know any important information about these. It is okay if they knew that I am using those, but they shouldn't get access to my passwords.

Can I safely use them (knowing my company can't save any of that data) if HTTPS is used?

P.S. I am really not a network guy and I don't know much about how these things work. So please don't give any RTFM replies.

senthil

Posted 2010-02-01T06:53:15.890

Reputation:

Like already answered: the network is not the problem. Traces left by your browser (on the computer you're using) are far more likely. Some browsers have explicit settings to enable/disable saving encrypted pages in the offline cache. (Like in Firefox: http://kb.mozillazine.org/Browser.cache.disk_cache_ssl which defaults to false, which is safe.)

– Arjan – 2010-02-01T07:13:59.023

I am using "private browsing" mode in firefox. I hope that won't save stuff on my system. – None – 2010-02-01T07:33:17.030

No, it's much more likely that your company has monitoring software on your workstation that monitors and records what you do. – BBlake – 2010-02-01T15:31:49.597

Hey, thanks for all the answers! You've explained a lot of things. Now I understand what is possible and what my company could/couldn't be doing. Judging from what you people have explained, and my company's technical expertise, I can conclude that it is highly unlikely that they will get to know stuff sent over HTTPS. Thanks for all the help! :) I am not a member, so I couldn't upvote a lot of answers even though they deserve it. – None – 2010-02-02T06:53:47.810

Answers

Before answering: If a browser warns you a site is using poor encryption or supplying incorrect identity information, it's important to read the error, understand it, and think hard about whether you want to continue.

Short Answer: Yes, if you're using a trusted device

Long Answer:

If someone is monitoring your connection from another computer (somewhere between you and your bank) and you are using HTTPS, and they are using signed certificates with a suitably strong algorithm, then you are in the clear. (Unless they save the data for years and later read it after the algorithm is broken - but they'd likely be better off breaking into your house and stealing your stuff ;) ).

Chances are, if it's your bank, then they are using signed certificates with a suitably strong cipher. You can verify this by looking at the SSL information for the page, which should be displayed if you look at the page info, click on the Blue or Green name to the left in the address bar with Firefox 3.5, or click on the lock to the right in the address bar in IE8. Firefox will also display the encryption algorithm used if you select More Information after clicking on the coloured area.

If you don't trust the device you're using to connect (such as a computer that is not your own that could have been modified by others), then it's of greater concern. Now, your workplace is likely not going to do anything illegal like look at your banking information; but it is possible for SSL to be undermined if your system is compromised. It could be that your computer is configured to accept certificates signed by a proxy (inspection of the certificate or certificate pinning would thwart this). However, surveillance could be anywhere - a keylogger wouldn't even need to defeat SSL to capture your banking credentials, for instance. SSL makes it so you don't need to trust the connection between two trusted endpoints, but if the endpoint itself is untrusted, all bets are off.

Tyler Szabo

Posted 2010-02-01T06:53:15.890

Reputation: 521

okay. Take hotmail for example. If I select "use enhanced security" when logging in, it switches to a HTTPS connection. in Firefox, the address bar thing is green, and from what is displayed there, i think it is pretty secure. Taking this as an example, for practical purposes, it is perfectly okay to use websites with this kind of HTTPS connection, knowing that no one (atleast in the next couple of months) can decrypt the information. Am I correct? – None – 2010-02-01T08:07:00.650

I would think so. I'd be surprised if a network administrator were to gain access to your bank account using network traffic alone when you use HTTPS. With that said, there are other ways you could be vulnerable even when using a secure connection, and you should follow your bank's instructions on how to use their site - such as always logging out after finishing (as opposed to closing the window) and not browsing other sites while banking. Always use an up-to-date browser, and make sure the computer your using is trusted with anti-virus software. – Tyler Szabo – 2010-02-02T08:15:49.977

No, not neccessarily. Your company may send your connection through a proxy that acts as a man-in-the-middle. That is: All HTTPS traffic goes from your machine to the proxy, is decrypted there, analyzed, encrypted and sent to the server. Your machine will not use the security certificate from the server, but instead the proxy will generate one for the given website and send that to you, so you really have two HTTPS Connections: From you to the proxy and from the proxy to the server.

In other to make that happen, the company needs to have a certificate server to generate a certificate. Normally the browser would object here and complain that the certificate authority is not trusted, but of course that can be overridden through group policies and the like.

This is not necessarily foul play by the employer though, as this can be part of an anti-virus concept or due to legal reasons.

In your browser, look at the certificate. Especially, look at the certificate authority. If the certificate is issued by a "real" CA like Thawte, VeriSign etc., then that would mean that you're using the one from the server and you should be safe. However, if it is issued by something like "YourCompany-AV" or the like, then you have a man-in-the-middle proxy.

Michael Stum

Posted 2010-02-01T06:53:15.890

Reputation: 3 061

2I think may should be emphasised here. Normal proxies do not create certificates on the fly, and do not decrypt HTTPS traffic (but support the CONNECT method). – Arjan – 2010-02-01T14:32:01.217

1...but then again: the question asker is concerned, so maybe it's just as well to mention all possibilities. (And maybe there's more companies with such proxy than I could imagine? +1 after all!) – Arjan – 2010-02-01T15:01:32.023

True, normally Proxies just pass through HTTPS traffic as they can't do anything with it, and I do not know if HTTPS-Inspection is on the rise, but I've seen it happen so I just thought I point out the possibility. – Michael Stum – 2010-02-01T15:26:41.997

I don't know how common the practice is, but my employer does do this. AFAIK it's to make sure we're not sending proprietary data out of the network over SSL. – Dan is Fiddling by Firelight – 2010-02-01T16:14:18.923

Just wondering... what's the point of HTTPS, if someone in the middle (albeit my company) can see what's being sent! Damn!! :( – None – 2010-02-02T06:50:44.557

I shouldn't be worried because this kind of complex stuff is way above my company's capabilities. But thanks for pointing out that it is possible. – None – 2010-02-02T06:57:00.767

1@senthil The point of HTTPS is to encrypt traffic and to identify the participants. Anyone who controls the line can theoretically be a man in the middle (hence it is even called man-in-the-middle attack) but unlike unencrypted HTTP, this will not stay undetected. As said, check the certificate and who issued it. There is no way usually to fake a certificate (There was a bug in some Debian Linux versions that made it possible to fake certs, but that was so far an isolated incident). – Michael Stum – 2010-02-03T01:07:39.840

Also keep in mind that in a corporate network, the company controls not just one piece (the wire over which the data goes) but also your PC. Normally, your browser would go into Panic Mode (and I mean that literally, at least Chrome makes a very scary warning message: http://noahsmark.com/wp-content/uploads/2009/02/chrome-ssl-error.png), but as the company controls it they can just issue a policy to make the browser trust it's certificate server. But as said: Check the certificate and if it's internal, do your HTTPS business at home :)

– Michael Stum – 2010-02-03T01:09:42.563

Just wanted to add that there is a easy to use tool which helps to identify if the certificate you were served is genuine or not. It also cotians a quite in depth look at issue. https://www.grc.com/fingerprints.htm

– Dracs – 2013-04-22T01:56:54.253

Generally speaking, you are safe.Because the when you visit the website of bank through https connection, all data like user name and password are encrypted, it is hard to decrypt it in a very short time, unless they know the encryption algorithm very well. However, there's other attack such as key logger,man in the middle will work if they are knowledgeable.Always pay attention to the environment before you enter the sensitive information.

John

Posted 2010-02-01T06:53:15.890

Reputation: 201

man in the middle will work if they are knowledgeable -- with HTTPS? – Arjan – 2010-02-01T12:31:03.897

If you are using a company owned machine and have agreed to the companies policies there may be issues at hand that are specific to your company. Without knowing any further details I'd say you should be secure, but I have to balance that with a caveat. Technically it is possible, but if you lead a "normal" life there are plenty of things that you face every day that present a much more likely risk to your personal data than the scenario that you are asking about.

Some basic things to be aware of. The company could still be aware of which sites you are visiting and for how long. The data may be encrypted, but it still has to be routed so the address that the data is going from and to is exposed.

The advice in other answers about taking advantage of any security features of your browser is good. I'll add that you should take a moment to review your companies policies that relate to personal data on work machines.

Jason Aller

Posted 2010-02-01T06:53:15.890

Reputation: 2 254

Hi, as I mentioned, I am not worried about them knowing what sites I visit and for how long, as long as they don't know what I type in the text fields. And I am absolutely sure they don't have key loggers. – None – 2010-02-01T09:15:03.737

Banks generally use a 128 bit encryption, or higher. Check the properties of their SSL cert, or even ask one of their technical support to find out what it is. If it's under 128 I would suggest not using it. But if it is 128 or over, you should be fine. Unless someone on the network with Ettercap, Wireshark, Shijack and a massive chip on their shoulder has something against you. If you're that worried about it, however, then simply don't use net banking at work. Then again, what's to stop someone cracking your computer at home to get your banking information? You're probably safer at work. My managers could barely check my browser history - I'd like to see them crack a SHA1-RSA encryption provided by a SSL cert.

user26528

Posted 2010-02-01T06:53:15.890

Reputation: 272

ROFLOL.. I didn't stop laughing for 2 mins after I read your last line :D – None – 2010-02-01T11:36:05.007

Did you just chain a bunch of tangentally-related words together? – Bryan Boettcher – 2011-10-17T16:19:26.817

Effectively you are safe simply because generally network admins have better things to do. Technically, no, your data is not safe. You didn't say what field you were in, but call center work for example will have systems that are extremely monitored. Data encryption doesn't matter if keystrokes are being logged and the screen captured as a part of normal operation. If you are worried that admins may be inclined to look at your bank account information, then DO NOT use your work computer for banking.

DHayes

Posted 2010-02-01T06:53:15.890

Reputation: 2 103

-1

Companies often use proxies and firewalls for network analysis, but you can be sure that https traffic cannot be sniffed by any of them. That's the basic principle of https, to prevent a man-in-the-middle attack.

Fernando Carvajal

Posted 2010-02-01T06:53:15.890

Reputation: 101

Care to add some reference to back-up your comment so if they want to read more about it they can be certain? – fernando.reyes – 2017-05-31T16:41:00.413

“but you can be sure that https traffic cannot be sniffed by any of them.“ I can confirm this is false at many companies, in fact, many anti-virus security software also make this statement false, this is extremely and dangerously false – Ramhound – 2017-09-21T00:01:47.947

@Ramhound you are extremely wrong, it is obviously that your antivirus software can sniff your traffic because you have allow it previously, it's in your computer.

If your company owns your office PC, then it's obvious they can sniff your traffic, they can install ssl certificates in your computer, so your browser will trust them and whoever has the private key can watch your packets.

If you bring your personal computer to your office no one can sniff your traffic. your are extremely and dangerously wrong. – Fernando Carvajal – 2017-09-26T23:54:36.757

The author of this question isn’t using a BYOD.. It is clear based on the context of the question they are using a company computer. You never made the clarification of a BYOD in your answer. You said it was not possible, “but you can be sure that https traffic cannot be sniffed by any of them.“, which isn’t actually true. In the end it doesn’t matter who is right or wrong. – Ramhound – 2017-09-27T00:14:50.613

-2

It is possible to save packets and break rsa encryption later on, though since the Internet is based on packet switching it is unlikely that any attacker would have enough substance to reconstitute TCP packets.

Everything and anything is possible.

Recursion

Posted 2010-02-01T06:53:15.890

Reputation: 202

You can bruteforce even 1024-bit RSA for months with hundreds of computers (http://www.pcworld.com/article/id,132184-pg,1/article.html), and 2048-bit isn't so rare nowadays.

– whitequark – 2010-02-01T07:36:28.707

OK I dont care if its 399 millennia, its still possible. – Recursion – 2010-02-01T08:33:12.617

However, who will spend all this computing power to break a banking SSL connection, unless there is something very suspicious about this user ? As said before, if you're a normal worker, and you're not doing anything illegal already, you should not worry, unless your boss has very good reason to spy on you. He, it would be easier to hide half a dozen of web cams to spy on your keystrokes than it would be to decrypt your SSL traffic. – jfmessier – 2010-02-01T13:17:21.887

OK and again, the OP asked if it were possible, not if its probable. Keep down voting please. – Recursion – 2010-02-01T22:05:15.450

. nice of you to take time to answer :). I guess practicality was implied in my question. Why would I care if someone found out my bank account details 399,000 years after I am dead? :P – None – 2010-02-02T06:59:01.760