0

My company has a 'bring your own device' policy. You connect your device to the WiFi, and then open a citrix environment through a web portal. Basically, everything inside the citrix env is company-software/email. Outside is your own software/mail/browser.

I know that anything I do online outside of the citrix environment still transfers over company WiFi with the possibility that it is inspected.

Very recently however, the connection to the internet outside the citrix environment ceased to work, I assume by design, since now I get a pop-up asking me to install a certificate that is clearly issued by the company. This should restore internet connection.

My questions:

Will this give them any additional ways to monitor my machine over the old situation?

Will they for example be able to inspect end-to-end encrypted messages?

Is it a good idea to accept this kind of a certificate given the fact that I am a contractor and work for multiple clients?

Additional point to consider: Some of our developments require work/testing outside of this citrix environment, due to shortcomings of the VM. Still, there is no need or possibility to connect to any company resource (network shares etc...) from outside the VM.

EDIT My question is specifically what kind of (additional) negative consequences this certificate will/might have, versus before, when we could access internet without any certificate installed. Therefor I think this question is different from Can my employer see what I do on the internet when I am connected to the company network?

EDIT Example: this happens when opening outlook. certificate pop-up

Jeremy
  • 103
  • 3
  • 4
    They are installing a certificate on your device to strip the encryption off of your HTTPS connections. Make sure you don't do anything personal (banking, shopping, medical, etc.) on that device. You'll probably want an entirely separate work device. You will probably want separate work devices for each client you BYOD to. – user Jan 02 '20 at 13:54
  • @user I assume that anything I do outside of the company network won't be vulnerable because of this certificate? What if I would install the certificate and use a VPN, would it help? – Jeremy Jan 02 '20 at 14:04
  • Depending on how you connect to that VPN and depending on how the application treats trusted root certificates they may be able to MITM the connection. They'll be able to block it pretty easily even if they can't compromise it. There are also potential issues outside of the company network, mainly some other entity compromising the company's private key and using it to MITM you, but the risks of that happening are pretty low. – user Jan 02 '20 at 14:09
  • I just want to be clear about one important distinction: sometimes a certificate is required as part of the authentication process to **connect** to the network. In that case the certificate is usually used just for authentication during the connection, and does not give the network admins the ability to spy on all traffic. However, it very much sounds like you are talking about a situation where you are already connected and they are requesting you to install a root certificate in your computer/browser's trust store. In that case everything @user is saying applies. – Conor Mancone Jan 02 '20 at 14:25
  • @ConorMancone, That link would have applied until last week's situation. In today's situation there is no internet if you don't install the certificate (my guess is: to authenticate with the proxy). My question is specifically what kind of negative consequences this certificate will/might have, versus before, where we could access internet without any certificate installed. – Jeremy Jan 02 '20 at 14:37
  • @Bjorn: could you please provide more details about the actual popup you get, i.e. either a screenshot or at least the complete and exact wording instead of your summary? Also, do you get this popup when connecting to the WiFi or when you try to access a website or when exactly? – Steffen Ullrich Jan 02 '20 at 14:39
  • If you have no internet at all without the certificate then it could be that they are simply trying to use the cert to authorize your access to the network, and not to MitM all of your connections. So I agree with @SteffenUllrich: without more details it is hard to say for sure what the certificate is being used for, and therefore the answer could be anything from, "You have nothing to worry about" to "You have everything to worry about". – Conor Mancone Jan 02 '20 at 14:48
  • @SteffenUllrich I have added a screenshot – Jeremy Jan 02 '20 at 14:54
  • That definitely looks like the "spy on everything you do online" kind of certificate. – Conor Mancone Jan 02 '20 at 15:03
  • 1
    I've marked it as a duplicate of a similar question where it gets clear that the company can now also access your encrypted HTTPS connections - and before that only the unencrypted (plain HTTP) connections. I hope that this is what you wanted to know. – Steffen Ullrich Jan 02 '20 at 15:16
  • Be very careful with email clients. If you allow that certificate to be used then they'll be able to read any emails that it downloads, which could put you at risk for legal issues if you're using that email for communicating with other companies. – user Jan 02 '20 at 15:26

1 Answers1

1

In your use-case, there are many missing variables such as: what are they enforcing today? if your machine is domain-joined, are you able to work remotely and whether that is permitted by the company. But in any case allow me to try and explain their side of things and than summarize the impact it may have on you:

Why they have requested you to install a certificate

Even in an BYOD model (or especially in BYOD model), the organization would need to validate that your machine is able to:

  • Access the internal services provided by the organization
  • Access to the VPN services from external locations

Assuming that they are publishing the internal "corporate" environment through Wi-Fi, it would be in their interest to validate that only authorized machines have access to the network. while user/password may work for authentication, it exposes them to brute-force attacks which are highly reduced while installing a non-exportable certificate.

Furthermore, some organizations that choose BYOD model still want to enforce some restrictions on machines (e.g. installation of an AV, machine compliance etc.) and if a machine is able to access the network without a certificate, there is no guarantee an employee will go, buy a new machine or have another machine from home that might be infected and connect it to the network with a user/password.

Also, in terms of MITM for internet browsing, as your machine may hold highly sensitive company data (as you noted not everything is made through citrix) they may want to validate no sensitive data is being sent using a Data Leak Prevention mechanism or validate no malware is downloaded to your machine.

Will this give them any additional ways to monitor my machine over the old situation?

Yes. In case you are surfing through the company proxy, they will be able to intercept HTTPS sessions and inspect them. The difference is that for you the session will still look "secure" (the lock icon in your chrome).

You are still able to know if they have intercepted your traffic or not by clicking on the lock and seeing the certificate chain this is the certificate chain

Will they for example be able to inspect end-to-end encrypted messages?

Depending you what you call "end-to-end" if you encrypt a file on your machine, and then send it away they will not be able to see the encrypted content. same applies to any GPG signed content or binaries.

Is it a good idea to accept this kind of a certificate given the fact that I am a contractor and work for multiple clients?

I'm not sure how many options you have, but I would argue it's not a big deal as long as you spend your time with that customer doing only what they are asking of you, and making sure you don't surf the internet through their proxy while not working on their projects.

My suggestion would be to ask for some elaboration on the reasoning for the request and what they are aiming to achieve. In all countries under the EU, several states in the US (CA in example) and other countries around the globe this could fall under your right for privacy and they need to elaborate what is the business need for you to install the certificate.

NaorP
  • 184
  • 3
  • I have added additional info and a screenshot. To comment on what you wrote: outside of the VM there is no need or possibility to access any company resource. We simply do some development there because vital software is lacking inside the VM (I know, I know). The machine is not domain joined, as it is my personal device set-up with my own domain – Jeremy Jan 02 '20 at 15:07
  • the issue is outlined in your statement: "We simply do some development there because vital software is lacking inside the VM". if you have their data outside of their VM it might the thing they are trying to govern. I also assume you are not their only contractor, so keep in mind that this activity might have been required due to another use-case and the security team decided to enforce that on everyone... – NaorP Jan 02 '20 at 15:58