0

My employer recently changed their WiFi network set up, and they now require accepting a certificate in order to connect.

Is there any way that I can check if they are performing a MITM attack to spy on the employees?

I would expect that I should be able to see which CA was used to establish a connection in my browser, but I'm not sure how to do this. If I see my employer's certificate, can I assume that they are able to see my unencrypted traffic, and if I see a different certificate, then it's not?

I also am loosely familiar with Wireshark, but I'm not sure if that's necessary.

Is there any way to make a determination or is completely unknowable?

TechnoSam
  • 119
  • 1
  • 2
    Does this answer your question? [Can I detect a MITM attack?](https://security.stackexchange.com/questions/12066/can-i-detect-a-mitm-attack) – user Jan 04 '21 at 15:55
  • @user Possibly. I like the idea of those browser plugins suggested by the top answer, but they both seem to be gone now. And it's still not clear to me if it would help in my current situation. I don't know what the CA would show up as. – TechnoSam Jan 04 '21 at 16:13
  • @TechnoSam you would still know what CA should show up. – yeah_well Jan 04 '21 at 16:26
  • " they now require accepting a certificate in order to connect." A certificate for you to download and install in the cert root store on your device or do you mean you get a warning in the browser where you would need to accept to be able to proceed ? "I would expect that I should be able to see which CA was used to establish a connection in my browser" The Root CA is not used to establish the connection per say, it validates the certificate presented by the endpoint, e.g. web server you are connecting to (to detect MITM attacks). – cyzczy Jan 04 '21 at 16:28
  • @TechnoSam I'd need to test it with my own MITM, but I would assume you could just check the certificate chain and see if the top level certificate was from your organization (though you may need to check certificate fingerprints against known-good fingerprints if your organization went through the effort of replacing all the standard root certificates with theirs). – user Jan 04 '21 at 16:49
  • 2
    Are you mixing up accepting a WPA Enterprise certificate with accepting a root CA? – Joseph Sible-Reinstate Monica Jan 04 '21 at 17:20
  • @cyzczy I didn't have to download or install anything, I just had accept a certificate after I connected to the network and entered my credentials. Nothing obvious changed in my browser. – TechnoSam Jan 04 '21 at 18:38
  • @JosephSible-ReinstateMonica That's possible. How could I check? – TechnoSam Jan 04 '21 at 18:39
  • 3
    Note that some WIFI routers use certificates for validation when you connect to the router itself, which is perfectly okay and safe, and does not give the employer a way to MitM your connection. The issue is when you have to install a trusted certificate in your computers/browsers root certificate store. That is when you have to worry about them sniffing your traffic. Based on your comments, I suspect you are dealing with the former (although it's hard to say for sure from here) – Conor Mancone Jan 04 '21 at 18:44
  • Relevant: https://security.stackexchange.com/q/122846/90657 – multithr3at3d Jan 06 '21 at 22:43

2 Answers2

4

I would expect that I should be able to see which CA was used to establish a connection in my browser, but I'm not sure how to do this.

It varies by browser, but in Chrome, for example, you would click on the padlock on the left hand side of the address bar:

Chrome address bar with padlock

Then click on the line where it says "Certificate":

Chrome security pulldown

After you click "Certificate", a new window will pop up. Click on the tab named "Certification Path" and look at the root certificate (the top certificate in the list). If that is the one your employer provided, then they are MITM this connection to this web site.

Certification Path

If I see my employer's certificate, can I assume that they are able to see my unencrypted traffic, and if I see a different certificate, then it's not?

Correct, that's how you can tell.

Is there any way to make a determination or is completely unknowable?

It's absolutely knowable. It would be labor intensive to try and do for every web site, but frankly, once you find your employer MITM one web site, you can assume they're doing a lot of web sites. Many employers exclude health and financial web sites from monitoring, for what that's worth.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
1

First of all, let's have a look at how a Man-in-the-Middle attack works.

Instead of Alice connecting directly to Bob, Alice instead connects with Eve (who claims to be Bob) and Eve connects with Bob while pretending to be Alice.

This means that MitM attacks are active attacks, and not passive ones. An attacker cannot simply copy traffic passively and decrypt it there - they need to actively interfere with the connection.

About your Employer's Case

Here, "interfering" with the connection is basically equivalent with "providing" the connection. As such, when you use your employer's network, you can assume that your connection goes through a proxy, who will do some sort of inspection of the traffic and possibly block certain domains.

As for TLS interception, in order to do that, an employer needs a root certificate that your machine considers trustworthy, and act as a TLS proxy for the network. The easiest way to see if this was done is to check the certificate chain of a website you visit and compare that with the certificate chain from a connection you trust to not be intercepted.

On an intercepted connection, the root certificate will be the one your employer installed, whereas on the unintercepted connection, the root certificate will be a public CA.

What can you do about this?

Nothing. Plain and simple - nothing. You could delete the root certificate from your computer's trust store, but that will just result in error messages from your browser. If you choose to ignore the error messages and still proceed, your connection will be intercepted just like before - with the added downside that others can now also intercept your traffic and you wouldn't be able to tell.

So if you want to use the web without your employer knowing what you do, use a private device with a dedicated connection (e.g. your phone and mobile data) - do not connect this to any corporate device, I guarantee you that a slap on the wrist from the IT department is the best outcome in all of this.