Decrypting and Re-encrypting Network Traffic
Decrypting and re-encrypting network traffic is becoming more and more popular. I think it's an appalling violation of both trust and privacy, but corporations seem to feel justified to "protect their network" (it's not necessary to explain the logic to me, I get it ... I'm just more about individual rights). Or maybe they're just doing it to mine your data, depending on the context. There seem to be two circumstances (this is just about web traffic): - a private computer on a shared network, ex. you take your personal computer to a coffeeshop - a company computer on a company network, ex. you sit down at your work computer I think I understand the latter: with a company computer on a company network, all that's necessary is to push a trusted certificate and all future communications will be done with that newly trusted cert and, well, you're hosed. Everything you send is examined and re-encrypted with the receiving site's certificate at the company firewall. Can this be detected? Can this be prevented? It seems that some shared networks (ie. the coffeeshop in the above examples) manage to do this to people: is this only possible if they convince you to install something, and presumably that install package includes a certificate? Or is there another way? -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
On 2019-09-10 05:09 PM, Giles Orr via talk wrote:
Decrypting and re-encrypting network traffic is becoming more and more popular. I think it's an appalling violation of both trust and privacy, but corporations seem to feel justified to "protect their network" (it's not necessary to explain the logic to me, I get it ... I'm just more about individual rights). Or maybe they're just doing it to mine your data, depending on the context.
There seem to be two circumstances (this is just about web traffic): - a private computer on a shared network, ex. you take your personal computer to a coffeeshop - a company computer on a company network, ex. you sit down at your work computer
I think I understand the latter: with a company computer on a company network, all that's necessary is to push a trusted certificate and all future communications will be done with that newly trusted cert and, well, you're hosed. Everything you send is examined and re-encrypted with the receiving site's certificate at the company firewall. Can this be detected? Can this be prevented?
It seems that some shared networks (ie. the coffeeshop in the above examples) manage to do this to people: is this only possible if they convince you to install something, and presumably that install package includes a certificate? Or is there another way?
I'm not sure where you're going with this. For example the coffee shop, it's long been recommended people use a VPN to prevent eavesdropping and hacking. Is this what you're referring to? Why is that a problem? I've never heard of a coffee shop forcing you to install something. I have, however, come across some restaurants, where you have to register and then get hit with ads etc. I won't use those ones. As for company equipment on a company network, well that's entirely the company's business.
On Tue, 10 Sep 2019 at 17:28, James Knott via talk <talk@gtalug.org> wrote:
On 2019-09-10 05:09 PM, Giles Orr via talk wrote:
Decrypting and re-encrypting network traffic is becoming more and more popular. I think it's an appalling violation of both trust and privacy, but corporations seem to feel justified to "protect their network" (it's not necessary to explain the logic to me, I get it ... I'm just more about individual rights). Or maybe they're just doing it to mine your data, depending on the context.
There seem to be two circumstances (this is just about web traffic): - a private computer on a shared network, ex. you take your personal computer to a coffeeshop - a company computer on a company network, ex. you sit down at your work computer
I think I understand the latter: with a company computer on a company network, all that's necessary is to push a trusted certificate and all future communications will be done with that newly trusted cert and, well, you're hosed. Everything you send is examined and re-encrypted with the receiving site's certificate at the company firewall. Can this be detected? Can this be prevented?
It seems that some shared networks (ie. the coffeeshop in the above examples) manage to do this to people: is this only possible if they convince you to install something, and presumably that install package includes a certificate? Or is there another way?
I'm not sure where you're going with this. For example the coffee shop,
"Where I'm going" is to attempt to defend against what I perceive as a violation of my privacy.
it's long been recommended people use a VPN to prevent eavesdropping and hacking. Is this what you're referring to? Why is that a problem?
Well, because we shouldn't have to do it (although I understand that's a lost cause). But yes, this is one solution. I've never heard of a coffee shop forcing you to install something. I
have, however, come across some restaurants, where you have to register and then get hit with ads etc. I won't use those ones. As for company equipment on a company network, well that's entirely the company's business.
And, I would say, all the employee's business as well. Particularly if the employer hasn't made it explicitly clear that they're doing such a thing. -- Giles https://www.gilesorr.com/ gilesorr@gmail.com
On 2019-09-10 06:33 PM, Giles Orr via talk wrote:
I'm not sure where you're going with this. For example the coffee shop,
"Where I'm going" is to attempt to defend against what I perceive as a violation of my privacy.
Something appears to be lost in translation. If I use a VPN, it's my choice and my VPN back to my home network. How is that an invasion of privacy?
On 2019-09-10 06:33 PM, Giles Orr via talk wrote:
And, I would say, all the employee's business as well. Particularly if the employer hasn't made it explicitly clear that they're doing such a thing.
Perhaps I'm missing something, but how is using encryption an invasion of privacy? What is it you think they're doing???
On Tue, Sep 10, 2019 at 5:09 PM Giles Orr via talk <talk@gtalug.org> wrote:
Decrypting and re-encrypting network traffic is becoming more and more popular. I think it's an appalling violation of both trust and privacy, but corporations seem to feel justified to "protect their network" (it's not necessary to explain the logic to me, I get it ... I'm just more about individual rights). Or maybe they're just doing it to mine your data, depending on the context.
There seem to be two circumstances (this is just about web traffic): - a private computer on a shared network, ex. you take your personal computer to a coffeeshop - a company computer on a company network, ex. you sit down at your work computer
I think I understand the latter: with a company computer on a company network, all that's necessary is to push a trusted certificate and all future communications will be done with that newly trusted cert and, well, you're hosed. Everything you send is examined and re-encrypted with the receiving site's certificate at the company firewall. Can this be detected? Can this be prevented?
It seems that some shared networks (ie. the coffeeshop in the above examples) manage to do this to people: is this only possible if they convince you to install something, and presumably that install package includes a certificate? Or is there another way?
Hi Giles, I think I understand your concerns. First, some context of what is typically required to eavesdrop on your PKI-negotiated and encrypted traffic: A TLS/SSL Man In The Middle (MITM) requires your browser to negotiate TLS with the MITM, and the MITM goes out onto the Internet to (separately) negotiate TLS with the site you are trying to connect to. However, this means that the MITM needs to provide you a public certificate for which it is in possession of the private key. Presumably this is not a certificate whose authenticity can be traced to a top-level Certificate Authority (CA) that your browser trusts. That should be your detection method. Otherwise, if you're dealing with a large, corporate MITM (cough, Zscaler, cough), they might be generating / issuing MITM certs on the fly from their issuing CA cert which may actually trace to a top-level public CA. Your detection method in this case would be to compare the certificate and issuers with those you see when connecting *outside* your suspect network. Not convenient, of course. The SSH case is generally simpler, because only a select few masochists^H^H^H^H^H^H devotees have fully invested in X.509v3 certificate-based SSH. An MITM would similarly need to present a key pair of its own in order to negotiate with you, and then to your remote on your behalf. Your detection method here is that the key presented by what appears to be your server isn't the same one that is in your known_hosts file. Cheers, Mike
| From: Mike via talk <talk@gtalug.org> | A TLS/SSL Man In The Middle (MITM) requires your browser to negotiate | TLS with the MITM, and the MITM goes out onto the Internet to | (separately) negotiate TLS with the site you are trying to connect to. Right. Your browser must be fooled into thinking that the MITM is the site you are trying to commect to. Lets call the site your are trying to get to "goal.ca". The DNS must provide the browser with the MTM's IP address when resolving "goal.ca" OR the MTM must intercept all traffic for the real goal.ca. I'd guess that interception is more likely to be successful. | However, this means that the MITM needs to provide you a public | certificate for which it is in possession of the private key. And that cert must claim to be for goal.ca. | Presumably this is not a certificate whose authenticity can be traced | to a top-level Certificate Authority (CA) that your browser trusts. Right. Any CA that would issue a cert for goal.ca to someone not associated with goal.ca would find their root certs kicked out of every browser (it has happened). | That should be your detection method. In other words, such a cert could not be validated. (Validation happens through a chain of certificates terminating in a root (self-signed) cert already known to the browser (seeded by the browser vendor or previously added by the user). | Otherwise, if you're dealing | with a large, corporate MITM (cough, Zscaler, cough), they might be | generating / issuing MITM certs on the fly from their issuing CA cert | which may actually trace to a top-level public CA. Wait: is that possible? Why are those CAs not expelled by the browser "vendors"? I must have misunderstood something. In <https://en.wikipedia.org/wiki/Zscaler#SSL_traffic_considerations> "... and assuming that the user has pre-installed a company root cert ..." DON'T DO THAT. At least not unless you understand the consequences. PS: even when successfully using end-to-end TLS, traffic analysis gives away a lot of the game. A VPN would reduce but not eliminate that leakage. Few of us realize how effective traffic analysis can be.
Offered as a point of information... I believe the Saudi government uses these technologies to keep their web halal... https://www.sandvine.com/government-customers On Wed, 11 Sep 2019 at 11:44, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: Mike via talk <talk@gtalug.org>
| A TLS/SSL Man In The Middle (MITM) requires your browser to negotiate | TLS with the MITM, and the MITM goes out onto the Internet to | (separately) negotiate TLS with the site you are trying to connect to.
Right.
Your browser must be fooled into thinking that the MITM is the site you are trying to commect to.
Lets call the site your are trying to get to "goal.ca".
The DNS must provide the browser with the MTM's IP address when resolving "goal.ca" OR the MTM must intercept all traffic for the real goal.ca. I'd guess that interception is more likely to be successful.
| However, this means that the MITM needs to provide you a public | certificate for which it is in possession of the private key.
And that cert must claim to be for goal.ca.
| Presumably this is not a certificate whose authenticity can be traced | to a top-level Certificate Authority (CA) that your browser trusts.
Right. Any CA that would issue a cert for goal.ca to someone not associated with goal.ca would find their root certs kicked out of every browser (it has happened).
| That should be your detection method.
In other words, such a cert could not be validated. (Validation happens through a chain of certificates terminating in a root (self-signed) cert already known to the browser (seeded by the browser vendor or previously added by the user).
| Otherwise, if you're dealing | with a large, corporate MITM (cough, Zscaler, cough), they might be | generating / issuing MITM certs on the fly from their issuing CA cert | which may actually trace to a top-level public CA.
Wait: is that possible? Why are those CAs not expelled by the browser "vendors"?
I must have misunderstood something.
In <https://en.wikipedia.org/wiki/Zscaler#SSL_traffic_considerations>
"... and assuming that the user has pre-installed a company root cert ..."
DON'T DO THAT. At least not unless you understand the consequences.
PS: even when successfully using end-to-end TLS, traffic analysis gives away a lot of the game. A VPN would reduce but not eliminate that leakage. Few of us realize how effective traffic analysis can be. --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- William Porquet, M.A. ‡ mailto:william@2038.org ‡ http://www.2038.org/ "It is only with the heart one can see clearly; what is essential is invisible to the eye." - (The Fox) "The Little Prince"
My company is doing this "man in the middle" thing. As long as they don't encrypt my paycheck, I'm fine with it. Just don't do personal banking at work. They'll know all your passwords. Sent from Yahoo Mail on Android On Tue, Sep 10, 2019 at 5:09 PM, Giles Orr via talk<talk@gtalug.org> wrote: Decrypting and re-encrypting network traffic is becoming more and more popular. I think it's an appalling violation of both trust and privacy, but corporations seem to feel justified to "protect their network" (it's not necessary to explain the logic to me, I get it ... I'm just more about individual rights). Or maybe they're just doing it to mine your data, depending on the context. There seem to be two circumstances (this is just about web traffic):- a private computer on a shared network, ex. you take your personal computer to a coffeeshop- a company computer on a company network, ex. you sit down at your work computer I think I understand the latter: with a company computer on a company network, all that's necessary is to push a trusted certificate and all future communications will be done with that newly trusted cert and, well, you're hosed. Everything you send is examined and re-encrypted with the receiving site's certificate at the company firewall. Can this be detected? Can this be prevented? It seems that some shared networks (ie. the coffeeshop in the above examples) manage to do this to people: is this only possible if they convince you to install something, and presumably that install package includes a certificate? Or is there another way? -- Giles https://www.gilesorr.com/ gilesorr@gmail.com--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
participants (6)
-
D. Hugh Redelmeier -
Giles Orr -
James Knott -
Mike -
porquet@gmail.com -
William Park