1

Until about a year ago, I was working for one of the big tech giants. During my time there, I noticed that the IT department would do a MITM attack on any website that employees access. i.e. if you opened GMail and Facebook, and you'd click the lock button on Chrome, you'd see that the certificate is a custom certificate rather than GMail's or Facebook's certificates. They would install these certificates on all company laptops, so effectively they had the ability to read and modify any website you'd access.

So far, pretty standard Big Brother stuff, right? I'd imagine that many big corporates in the US do the same.

I mentioned this to a colleague at lunch, and he said there's no way they would MITM any banking or other financial activity, because that would be illegal. After lunch, I tried to access the bank I use for my personal account, Bank HaPoalim, and indeed he was right. The certificate was Bank HaPoalim's, so my communication with them was secure.

This leads me to believe that big corporates have a list of "banks we're not allowed to MITM". I don't know whether they all share the same list, or each have their own. They might have the same for health-related information.

Now I have a client who runs a site that handles finanical information. They want to get in that list, so their customers would be able to access them without their employers sniffing their traffic.

My question is: Where is that list? How does one request to be added to it?

Ram Rachum
  • 1,998
  • 2
  • 19
  • 20
  • 1
    There is no security question here. What you want is a list of sites which are not allowed to MITM for __legal__ reasons. What is legal depends on where you live. – Steffen Ullrich Jan 08 '20 at 09:53
  • 2
    There is no such list – Conor Mancone Jan 08 '20 at 09:53
  • I think your first assumption is wrong as I did the same here https://security.stackexchange.com/questions/216254/company-cas-what-are-the-privacy-risks-for-the-employees and the answer was here https://security.stackexchange.com/questions/129717/how-do-i-know-if-my-company-or-my-isp-is-using-a-tls-proxy – Deunis Jan 08 '20 at 09:53
  • 2
    There is a long chain of assumptions here and you haven't challenged them. Illegal to break TLS on banking sites? Your company did not break TLS for this one site because it was illegal? Your company used a list curated by some central authority? A list exists? Such a list is managed so that it is possible to get on such a list? – schroeder Jan 08 '20 at 10:55

0 Answers0