1

If I'm using Skype, Facebook, or another type of communication at my work, can the network administrator see my Skype and Facebook conversations, although its encrypted with SSL?

I found this text:

If your company is serious about security then it may have installed a more advanced proxy like Blue Coat's ProxySG. Such systems perform a Man-in-the-Middle attack by dynamically generating a fake certificate for the target server. This gives them access to the complete data, as if there was no SSL.

If I installed my own computer from scratch, is the method above still possible? Is there a way to protect myself from it?

Is there any way to see that my connection to my bank or Facebook is truly protected by SSL and that I'm using the correct certificate?

Community
  • 1
Newton
  • 13
  • 3
  • A corporate network where they have commercial IP protection software which monitors ssl traffic wont allow you to access the internet using a webbrowser which does not accept the attack and prevent you from fixing it. So there is no such 'full control' in this situation; you have to play be their terms and use a browser they have comprimised to use their corporate internet proxy. Just having admin rights on the pc is nothing; if your pc is on their active directory typically they own you. Don't cheat your employer by surfing else don't sign the employment contract which accepts this. – simbo1905 May 04 '14 at 08:28

2 Answers2

0

If you have full control over your computer it should be easy to detect SSL interception, because the browser will complain about unknown issuer if you access https-Sites. At least if the firewall administrators did not get an intermediate CA from a trusted CA (see https://lwn.net/Articles/480279/). And even these you will be able to spot if you use Google Chrome with certificate pinning and they did not make exceptions for interception for the google.com domains (see http://www.cso.com.au/article/533843/french_treasury_accidentally_signs_ssl_certificate_google_com_domains/). And, if you have a specific sensitive website you can look at the certificate fingerprint and trust path in the browser and compare it with the results you get from home.

Working around is harder, because usually these firewall rules are installed to protect the company from malware via SSL connections or from data leakage from internal users to external sites (cloud etc). So these rules are usually not primary there to annoy users, blocking these sites would be much easier. So if the admin has properly set up the firewall there should be no way around by using VPN, proxies or whatever. Of course, mostly there is a way, but this depends on the specific firewall setup (or just use mobile network).

BTW, if Skype still works in this setup it is probably safe to use (if you trust Microsoft). Skype does not use SSL, but when tunneling over HTTP proxies it uses a protocol which looks similar enough to fool some deep inspection firewalls.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Thank you for your answer. Can you explain in more depth how I can make sure that my SSL-encryption is secured and not fake? Can I use the addon Perspectives in Firefox to make sure of this? – Newton Apr 07 '14 at 18:43
  • Yes, perspectives is a good choice, but even looking at the identification of the site (click on site icon/lock in URL bar) and from there at the certificate helps, especially if you compare it to the certificate you get when browsing from home or mobile. – Steffen Ullrich Apr 07 '14 at 18:55
  • What kind of information should I look at after I clicked on the icon/lock in the URL bar? Thank you for your answer :) – Newton Apr 07 '14 at 18:57
  • View Certificate and there the Fingerprints and compare them to fingerprints from other connections. In Certificate Details you can also see the trust path. Just google for "firefox certificate fingerprint details" and you'll find enough images about this. – Steffen Ullrich Apr 07 '14 at 19:03
0

If your own company is an enemy then you have a problem. Or possibly you are the problem.

Normally, you connect your machine on the company's network based on a contractual agreement which makes you the employee, and defines your rights and duties. In particular, many companies do not allow employees to plug their own hardware on the company network; or when that is allowed, there are technical requirements, such as installing specific sysadmin software provided by the company itself. This is what occurs in most cases where BYOD is applied.

These technical and contractual agreements notably allow or disallow interception by network administrators. So your question really sounds as a request for specific advices in order to do something illegal. This is usually not well tolerated here.

However, I can still give a neutral and technical answer. SSL protects against malicious passive and active eavesdropping and data alteration, in particular Man-in-the-Middle interception (which is "just" double impersonation: the client talks to a fake server, the server talks to a fake client). This property is ensured based on root assumptions:

  • The server's certificate can be reliably validated by the client, relatively to a set of root CA, as known by the client, who are all honest.
  • The client's software is not maliciously modified.

If a third party wants to see what data is exchanged between your machine and some given external server, then one of these assumptions must not hold. In the case of Blue Coat's ProxySG product, that's the first one: as part of ProxySG's deployment, a new root CA, controlled by that ProxySG installation, is generated and must be installed in the client systems. If no such root CA was installed in your machine, then Blue Coat's ProxySG won't be able to enact its interception. At least not silently: your browser will warn about how every SSL-powered Web site seems to use a certificate from an unknown CA.

A noteworthy point is that if you are in the habit of "clicking through" browser warnings, i.e. instructing your browser to connect nonetheless, despite an invalid or unverifiable server certificate, then your security against MitM goes down the drain, by your own actions.

Another noteworthy point is that though SSL protects the data contents, external eavesdroppers can still work out what servers you are talking to, and make general guesses at the nature of the exchanges based on their timing and their size. When you connect to Facebook, your employer does not need to see the data contents to realize that your are slacking away instead of doing your job.

Finally, Skype does not use SSL but its own protocol, which may or may not be safe (protocol details are not really published, and not really clear either).

Community
  • 1
Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • Thank you for your answer. I have installed the computer that I use all by my self, so a Man-in-the-Middle can't be established, because the administrator must install things on my computer? I'm I correct? I don't realy care if the administrator can see which sites I visited, I just don't want them to see the conversations I have on Facebook or Skype, or another type of communication sites/software. So If i understand correctly, SSL protect the content, in this case, my converstations? The administrator cant see the content? – Newton Apr 07 '14 at 18:39
  • The point of SSL is to keep outsiders out, yes. – Tom Leek Apr 07 '14 at 18:43
  • So the network administrator can't the content with wireshark och other software? The only way the administrator can see the content is if he have made an Man-in-the-Middle? – Newton Apr 07 '14 at 18:45