Hacker News new | comments | ask | show | jobs | submit login
Ask HN: Options when corp IT installs their own root certs for https sniffing?
8 points by jimmysdown on Feb 8, 2016 | hide | past | web | favorite | 8 comments
I just discovered that our corporate IT dept. installed their own Trusted Root CAs via GPO over the weekend, so now all HTTPS traffic via our Windows PCs is sniffable by them. I am not pleased with this - I really don't trust them to not poke around and view passwords, or keep my information safe. And of course it completely breaks Firefox, unless I make exceptions and/or install their root cert within FF. I will be using my own devices more for when I need real security.

So - is there any way to know what 3rd-party product is being used to do the monitoring, short of asking them? Is there any way to know if the root certs are "secure"? How soon should I start looking for a new job? :)

Would it make a difference knowing the product behind the sniffing? Once your traffic went on the clear and there's people with access to it, that's game over.

You could encapsulate SSL in SSL, so the first SSL layer is decrypted by your "colleagues" but the second one should just flow freely.

The problem here is that (A) SSL is defeated in your corporate network and (B) other protocols are probably blocked, to force you to use the proxy to reach Internet, so you're stuck with SSL.

Disclaimer: We haven't tried these scenarios (defeat SSL sniffing on a corporate network) because it's not the main use of our product and actually, as long as it's legal and ethical you should follow your employer's rules, so bypassing your company's security systems is not our business nor we condone it.

But it's technically interesting.

We[1] do SSL tunnelling to create private networks; unfortunately we don't offer Internet gateways so it's not exactly a VPN tunnel. You could, however, install a proxy or a router inside your private network and use it to route your traffic to Internet through the private network.

[1] https://wormhole.network

>Would it make a difference knowing the product behind the sniffing?

My main concern is a Superfish-like situation where a user takes their laptop outside the corp LAN and gets owned because the root cert is vulnerable. Knowing the vendor of the whole system might be enlightening; I'm not sure.

Fair point. Usually this cert will be generated internally, even by the device itself, but it's a good point then to know who's the vendor, in case these certs are "pre-generated" with the same private key for everyone or something :)

>You could, however, install a proxy or a router inside your private network

Sounds like a good way to get fired depending on how strict their policies are.

Actually trying to work around any restrictions is a really good way to get fired :)

(Clarification: when I said private network I mean in the virtual network created by Wormhole, so probably at your home, bridging between the virtual network and your home's network)

If you're using their metal then it is already game over. They could be watching you right now utilising a dozen different remote admin/monitoring tools. So if you really want personal privacy then use personal equipment.

They may have non-HTTPS sniffing reasons for installing an internal CA, and it is highly recommended in an AD-connected environment. So while they may start hijacking traffic, you might be jumping the gun.

I will say that to avoid hijacking you need a clean DNS server. If you have local admin you could try and see if you can just change to, but if they're competent they're likely blocking DNS going through the firewall for exactly that reason.

I'd recommend you just bring in a personal laptop, buy one of those tiny battery operated mobile WiFi hotspots "MiFi" (cellular to WiFi bridge), then just access the internet for personal usage entirely off of their equipment and network, it will cost less than $20/month with a pre-existing cellular plan.

e.g. T-mobile Z915 + $10/month

If it's company equipment they're within their rights (usually in the US) to do it.

What I've usually seen is that they're using something like a Palo Alto/Cisco to do transparent/inline "blocking of bad stuff" like drive-by downloads, etc. and tracking general Internet usage. They could have also done it with an agent on each computer or whatever.

Many times the trigger is some troublesome employee or perhaps a malware outbreak somewhere.

In so far as circumventing it, best thing to do is use your own equipment for personal stuff. I have a VPN to my home office and use remote desktop (Windows 10 on both sides or ScreenConnect to my Mac) to keep things separate. No one can see the traffic, it's minimal, and legit.

Connect with the internet via your phone?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact