Corporate firewalls as man-in-middle to decrypt SSL traffic

[BoneKracker]

Corporate firewalls are beginning to systematically use what is in fact a man-in-the-middle attack to decrypt inbound and outbound SSL-encrypted traffic.

[ratmonkey]

Mixed feeling on this. On one hand if my employer did this and warned everyone it was coming, I wouldn't worry much about it since I don't use my work account for anything but business. On the other hand, If the technology exists, how long till my ISP is doing the same thing on my personal connection?

[Boris27]

I don't like it. However, until we all start using SSL observatory (which a corporation might ban), we can't find these attacks.

The stupid thing is, a programmer who wants to sneak code out of the company would probably not even use SSL. You could set up an SSH host and note down its host fingerprint. Or he could just encrypt the contents (winzip even allows you to do that) and send that file via SSL. So it probably will not even work.
_________________
we are microsoft, lower your firewalls and surrender your pc's. we will add your biological and technological distinctiveness to our own. your culture will adapt and service us. resistance is futile.

[Dr.Willy]

[erm67]

I had some experience with such a corporate firewall doing man-in-the-middle, but it easy to notice that your ssl connection was intercepted just reading the certificate .....
It is possible to go through using a cipher not supported by the firewall but the connection shows up in the logs and the admin can also block all non supported cryptography, basically that is what happened when all people in our office started using them
It is easy to fool such a firewall if not configured to let through only connections that can be intercepted. Of course, if you have the possibility, an ssh connection to an external host can be the best method to pierce it. Only problem is the traffic generated browsing internet over it, the admin started questioning how could we make all that ssh traffic doing normal sysadm activity ....
_________________
Truck!!
A posse ad esse non valet consequentia
Πάντα ῥεῖ

[pjp]

PGP.

With keystroke logging on corporate laptops, you can't truly hide what you're sending out. But for personal stuff, PGP.

Of course, then they'll know you're a terrorist, etc.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008

[wswartzendruber]

Hold on a sec. How do you just decrypt SSL?

[BoneKracker]

[wswartzendruber]

Public keys are used to decrypt traffic? That's done for signing, not encryption.

[erm67]

[BonezTheGoon]

The reason this is becoming common-place is due to several malware exploits that communicate outbound through SSL and so intrusion detection systems have a hard time identifying the threat.
_________________

[BoneKracker]

I prefer network steganography for my dirty work. Nobody stops my oversized, payload-bearing icmp packets (or even know that they can have a payload).
_________________
Oldthinkers unbellyfeel INGSOC.
-- Headline of a document on Winston Smith's terminal in his cubicle at the Ministry of Truth, seen briefly in the background in one scene of the movie rendition of Nineteen Eighty-Four.

[BonezTheGoon]

I'm sure that you are correct for the hugely vast majority, but I assure you that your statement of "nobody" is wholly incorrect.
_________________

[wswartzendruber]

[Crooksey]