Ask HN: Corporate monitoring?

[pervasivemon]

It's probably not the first time this has come up. But it's the first time for me. My employer now uses a MITM attack to intercept https traffic bound for mail.google.com (and perhaps other domains as well). It strikes me as an astonishing breach of trust. I could see this coming when they pushed new "<company> internal CA" certs a few weeks ago. I understand the problems that my company is faced with, and I understand why they go to these lengths.

I've worked exclusively for Fortune 50 companies and they typically have a single-egress-via-http-proxy. These connections can be monitored but their corresponding https connections "cannot" be monitored.

I guess I'm not terribly bothered for my sake, I just won't access gmail at work anymore. It would be career suicide for me to publicize this or make noise about it. But I really think my less technical colleagues should be informed.

So is my Fortune 50 company just late to the game and this is what we have come to expect? Or are they pioneers and we should all assume that other companies will follow their lead?

[0] https://tools.ietf.org/html/rfc7258

[lmz]

I thought people already sold ready-made appliances for corporate SSL MITM.

[wyldfire]

I guess so. It's too bad.

[lmz]

Ehh. It's a corporate network (although they should announce that all traffic are monitored).

[wonderthrowaway]

Should one also assume that corporate guest networks (such as the ones you might be asked to connect to when offering an on-site demo) are similarly MITM-compromised?

And by "assume", I mean to say, does anyone have knowledge that this occurs?

[pervasivemon]

Yes, you probably should assume it is. The good news is that it's easily detectable. Your browser should refuse to connect to the proxy-spoofed gmail because it likely hasn't received the visited-corporation's local-spoofing-is-ok cert.

You might be encouraged by the local team -- "don't worry, just do this so you can access gmail again." It's too bad that this activity trains people to think updating your certificate store (based on directions given to you by some site in your web browser) is something that you should do to get past an error message.

[wyldfire]

> does anyone have knowledge that this occurs

If you have any doubts, click on the padlock icon using your browser. On Chrome, you can click "Connection" then "Certificate Information". It will display who the certificate was "Issued By" and "Issued To". Well-meaning eavesdropping corporations will likely confess their [or the device's manufacturer name] identity here.

[partisan]

There is a good article in the current 2600 paper issue describing the issue of corporate MITM and why simply looking at the certs for the current site might night be enough.