[TriLUG] Semi-OT: Detecting HTTPS inspection? Does that compromise SSH?

Aaron Joyner aaron at joyner.ws
Mon Jun 2 20:04:22 EDT 2014 

I apologize in advance, I hope what I'm about to say doesn't cause undue
strife to those who by their tinfoil in bulk, on the off chance they
haven't considered it before.

Sure, your IT company could MITM you by installing an additional
certificate.  You could then inspect the list of certificates, look for
unexpected trusted CAs, and compare the usual trusted CAs against their
published fingerprints.  That leaves a pretty clean trail for you to
follow, and a pretty easy way to "undo" their handiwork (although
presumably you'd still be forcibly connected through an HTTPS proxy, it'd
just no longer be as "transparent").

Another option would be to run a daemon on your machine which watches
outgoing traffic for SSL negotiations, then grabs the SSL or TLS session's
symmetric key and ships that off to the transparent packet forwarder, which
can then use it to decrypt and inspect your session.  Such a daemon would
need to know a bit about each application it wanted to snarf the symmetric
key from, but it's not particularly challenging to cover a handful of apps
and get nearly universal coverage (eg. Firefox, Chrome, OpenVPN, etc.).  A
Corp IP policy which limits browser choice would help out a lot there.
 Naturally, this would just be an undocumented "feature" of one of the
backup, security-update, virus-scanning, or logging daemons you're
encouraged to run on your machine as part of the corporate IT policy.

Most people would consider that pretty far off into tin-foil-hat territory,
but if I wanted to monitor your SSL traffic, that's how I'd do it.

The more logical explanation for your IT department talking about "HTTPS
packet inspection" would be that they're just monitoring the bandwidth
associated with HTTPS traffic flows, and if it looks like a lot more bits
are flowing out than the bits that are flowing in, they might investigate
more thoroughly.  This would be a first-pass attempt against ensuring
you're not uploading the company's code base via HTTPS to github or similar
offsite "backup" for your personal use, or later sale to a competitor.

Assuming the latter, your online banking data is "safe".  Even assuming the
former, your online banking data is probably safe.  It's unlikely they're
going to start transferring your funds to their personal account, and it's
unlikely they mind that you're checking your bank balance or paying the
occasional bill at work (so long as you're not also underperforming at the
task they're paying you for).

Happy computing!
Aaron S. Joyner


On Mon, Jun 2, 2014 at 5:59 PM, Alan Porter <porter at trilug.org> wrote:

>
>  One solution to this is to pin certificates. Basically, your browser will
>> cache the certificate, or rather its fingerprint, and if that changes will
>> notify you
>>
>
> There is a plugin called "Certificate Patrol" that is supposed to do this.
>
> I installed this plugin at work right before Oracle acquired my company,
> thinking that it would tell me if Oracle IT was playing MITM.  However,
> all of the tests that I ran using my own domains and my own CA's were
> inconclusive... it never warned me when I changed my own certificates.
>
> Alan
>
>
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
> options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list