
Ask HN: Options when corp IT installs their own root certs for https sniffing? - jimmysdown
I just discovered that our corporate IT dept. installed their own Trusted Root CAs via GPO over the weekend, so now all HTTPS traffic via our Windows PCs is sniffable by them.  I am not pleased with this - I really don&#x27;t trust them to not poke around and view passwords, or keep my information safe.  And of course it completely breaks Firefox, unless I make exceptions and&#x2F;or install their root cert within FF.  I will be using my own devices more for when I need real security.<p>So - is there any way to know what 3rd-party product is being used to do the monitoring, short of asking them?  Is there any way to know if the root certs are &quot;secure&quot;?  How soon should I start looking for a new job? :)
======
NetStrikeForce
Would it make a difference knowing the product behind the sniffing? Once your
traffic went on the clear and there's people with access to it, that's game
over.

You could encapsulate SSL in SSL, so the first SSL layer is decrypted by your
"colleagues" but the second one should just flow freely.

The problem here is that (A) SSL is defeated in your corporate network and (B)
other protocols are probably blocked, to force you to use the proxy to reach
Internet, so you're stuck with SSL.

Disclaimer: We haven't tried these scenarios (defeat SSL sniffing on a
corporate network) because it's not the main use of our product and actually,
as long as it's legal and ethical you should follow your employer's rules, so
bypassing your company's security systems is not our business nor we condone
it.

But it's technically interesting.

We[1] do SSL tunnelling to create private networks; unfortunately we don't
offer Internet gateways so it's not exactly a VPN tunnel. You could, however,
install a proxy or a router inside your private network and use it to route
your traffic to Internet through the private network.

[1] [https://wormhole.network](https://wormhole.network)

~~~
jimmysdown
>Would it make a difference knowing the product behind the sniffing?

My main concern is a Superfish-like situation where a user takes their laptop
outside the corp LAN and gets owned because the root cert is vulnerable.
Knowing the vendor of the whole system might be enlightening; I'm not sure.

~~~
NetStrikeForce
Fair point. Usually this cert will be generated internally, even by the device
itself, but it's a good point then to know who's the vendor, in case these
certs are "pre-generated" with the same private key for everyone or something
:)

------
Someone1234
If you're using their metal then it is already game over. They could be
watching you right now utilising a dozen different remote admin/monitoring
tools. So if you really want personal privacy then use personal equipment.

They may have non-HTTPS sniffing reasons for installing an internal CA, and it
is highly recommended in an AD-connected environment. So while they may start
hijacking traffic, you might be jumping the gun.

I will say that to avoid hijacking you need a clean DNS server. If you have
local admin you could try and see if you can just change to 8.8.8.8/8.8.4.4,
but if they're competent they're likely blocking DNS going through the
firewall for exactly that reason.

I'd recommend you just bring in a personal laptop, buy one of those tiny
battery operated mobile WiFi hotspots "MiFi" (cellular to WiFi bridge), then
just access the internet for personal usage entirely off of their equipment
and network, it will cost less than $20/month with a pre-existing cellular
plan.

e.g. T-mobile Z915 + $10/month

------
code777777
If it's company equipment they're within their rights (usually in the US) to
do it.

What I've usually seen is that they're using something like a Palo Alto/Cisco
to do transparent/inline "blocking of bad stuff" like drive-by downloads, etc.
and tracking general Internet usage. They could have also done it with an
agent on each computer or whatever.

Many times the trigger is some troublesome employee or perhaps a malware
outbreak somewhere.

In so far as circumventing it, best thing to do is use your own equipment for
personal stuff. I have a VPN to my home office and use remote desktop (Windows
10 on both sides or ScreenConnect to my Mac) to keep things separate. No one
can see the traffic, it's minimal, and legit.

------
brudgers
Connect with the internet via your phone?

