this post was submitted on
29 points (96% like it)
30 up votes 1 down vote
shortlink:
to anything interesting: news article, blog entry, video, picture...

28
29

Corporate admins are issuing ssl cert for google.com? (self.networking)

submitted ago by goodtimes50

I'm a software engr., not a network engr, so I may not be understanding what's going on here. Apologies for any wrong terminology. After connecting to my corporate VPN this morning I immediately got an invalid certificate error in Firefox for gmail and Google Reader. I went to add an exception so I could continue to access them and noticed that the cert I was accepting for google.com was issued by my company.

Does this give them the ability to decrypt my communication with Google sites? If so, is there any way around this?

all 37 comments
sorted by:
best
hot
new
controversial
top
old

[–]allyc1057 14 points15 points ago

Correct re. the decryption, sounds like they're acting as a Man-in-the-Middle (MITM), whereby your google.com connections are being proxied through their own SSL proxies, they therefore hold the key to your search queries (as well as other Google services such as GMail, potentially).

You could potentially set up an SSH server (with SSH server configured to run on port 80, to ensure it's permitted through your corporate WAN) on your home network, and use it to tunnel HTTP(S) traffic out through your own home, bypassing the corporate proxies.

http://travisaltman.com/tunneling-http-thru-ssh/

Alternatively, if your company allows VPN traffic out, you could maybe look for a VPN tunnelling service..

[–]Forgery 11 points12 points ago

This is a common occurrence if they use a network security device (Blue Coat, M86, Websense) or network acceleration device (Riverbed, Blue Coat). Note that if it is a network security device, they may have blocked attempts to bypass the corporate proxy.

[–]goodtimes50[S] 1 point2 points ago

Yep, it's Websense

[–]hoeding 3 points4 points ago

I agree that this is MITM, whether it's by his company or otherwise and if it is your company doing it I would work under the assumption that they are logging what sites employees are visiting encrypted or otherwise.

[–]goodtimes50[S] 0 points1 point ago

I'm not so much concerned with them knowing which sites I go to as I am with them being able to decrypt my personal emails and such...

[–]from_the_sidelinesCitrix Admin, Netscaler Ninja. 7 points8 points ago

They are using Websense to do a MITM attack for the proposes of monitoring/ filtering traffic. They can decode any communications made through their appliance, assuming there isn't another layer of application-layer encryption going on.

Nothing you do on your employer's machine is private. Ever.

[–]jeremiahfelt 4 points5 points ago

Unfortunately, personal correspondance or not, you have no reasonable expectation to privacy in your employers workplace.

[–]TheGoddamBatman 0 points1 point ago

Technically, you're absolutely correct (which is the best kind of correct), but legally, it's still up in the air in the US -- I wouldn't call it settled law at all, and EU offices are a whole different ball of wax.

[–]OldCrowEW 2 points3 points ago

they will see your passwords...

[–]thewozzaCCNA Studying CCIE 0 points1 point ago

I wouldn't try to bypass corporate security systems using an SSH tunnel - at some corporations this is an offence you could be fired for.

I'd talk to them first, but I wouldn't expect them to do much. They've likely put in this system so they can ensure that corporate IP isn't leaving the company.

Just don't do personal email at work. if you must, use your smartphone, and don't use the corporate wireless for it. Problem solved.

[–]TheBobMcCormick 3 points4 points ago

Yup. The best solution is to do all of your personal surfing on your personal smartphone or a personal tablet that has it's own cell connection. It's probably the least likely internet access method to get you into any kind of trouble, be you're only using your own equipment and your own connection. About the only thing they can discipline you for is time wasting.

Using any kind of tunnel could get you in trouble, I'd only recommend it if you know what you're doing and you're prepared to either defend your actions or accept the punishment.

[–]urracaCCNA Security 0 points1 point ago

Modern Firewalls will still see SSH and block it, even if it's on port 80. Port numbers don't matter so much on "application aware" firewalls.

Not too mention, encrypted tunnels out are fire-able offense depending on the corporate environment. You can expect a phone call within second in some places.

[–]allyc1057 0 points1 point ago

He asked for a solution, I gave him a potential one. In any case, who knows what level of awareness their perimeter has, tunnelling is one of the first things I'd try to get around it.

[–]urracaCCNA Security 1 point2 points ago

Didn't say you were wrong at all, I'm just trying to be informative.

[–]RouterMonkeyCCNP 9 points10 points ago

Yep. They are doing this so that they can run HTTPS traffic through the proxy servers, and apply filtering to HTTPS traffic.

Normally, HTTP is run through the proxy, and HTTPS isn't, because the only way to do this is to issue internal certs, like this.

[–]eberkut 1 point2 points ago

Seconded.

[–][deleted] ago

[deleted]

[–]corporatehippy 8 points9 points ago

I'm pretty sure, after having talked to several vendors and other securit professionals about proxying HTTPS traffic, that its impossible to decrypt without a browser certificate match. Some devices might be able to make decisions based on the actual destination URL text, but I'm not aware of any device that will fully inspect SSL traffic without getting in the middle of it, cert-wise. If you know if any in particular tho - I'd love to hear about them.

[–]brodel2 -1 points0 points ago

You could do this with AD and GPOs by pushing your company's cert into the trusted certificate store on each machine and IE would trust it and consider the chain valid. This would not work with firefox though since firefox uses its own certificate store.

[–]corporatehippy 3 points4 points ago

That is still getting in the middle of the cert process. Its exactly the same thing, just with a better delivery method.

[–]brodel2 0 points1 point ago

Right. My point was that you wouldn't get a certificate mismatch.

[–][deleted] ago

[deleted]

[–]c00ker 0 points1 point ago

Because having stateful packet inspection has nothing to do with being able to decrypt an SSL transaction. Your article mentions nothing about what SSL DPI their doing or against what sites. I would highly doubt that SonicWall can decrypt my SSL traffic to gmail.com without having the private key that the gmail cert was signed with.

That's kind of the entire point here; you just can't insert yourself into the middle of an SSL session and decrypt it unless you have specific pieces of information. Do you really think that such a vulnerability could only be leveraged by legit enterprises? Such a massive flaw in SSL that allowed a box to decrypt traffic would be exploited by lots of people that are not honest.

Finally, that article mentions nothing about decrypting any traffic, but simply monitoring/examining SSL type traffic on a multitude of ports, not just 443. I bet if you ask them "can this box decrypt my SSL session to my bank?" the answer is flat-out no.

[–]RouterMonkeyCCNP 0 points1 point ago

Exactly. SSL encryption encrypts the data payload, not the whole packet. You can still inspect/filter/block/act upon encrypted traffic based on information in the packet, but still NOT have access to the actual encrypted traffic.

We are talking about proxies that decrypt the payload, not just inspect the packet surrounding the payload.

[–]SteveJEO 3 points4 points ago*

If the cert was issued by your own company and presuming your own company isn't google then yes.

Something is SSL bridging from the sounds of it.

Here is what happens.

Normally you have a single tunnel between the client and server. (this can exist within a VPN or whatever the encapsulating traffic doesnt matter)

You>----------------(Google SSL Tunnel)---------------> Google.com

Now what you have is a break in that SSL tunnel so it looks like this.

You >---(corp SSL tunnel)-----> Corp Firewall >--(google tunnel)----> google.com

Your system is smart enough to know the corp SSl tunnel is pretending to come from google and is warning you about it.

All traffic you pass to google will be decrypted at the corp firewall, scanned and recorded, then re encrypted with googles cert and passed on.

(so basically google wont know the difference since the traffic they get will be legitimately encrypted using their keys.)

Edit: you might not like it, but this stuff is actually normal on enterprise environments. You can just as easily download compromising or illegal software & material from a secure site as you can from anywhere else and the corp network integrity relies on knowing about it. You 'could' bypass it, but in the event you do become compromised you will have successfully introduced a compromised system to their network and they won't be happy... at all.

The very fact that your system is flagging at all suggests to me that your machine is unmanaged and unaccountable on the network.

[–]goodtimes50[S] 0 points1 point ago

Thanks, that's quite helpful. I'm not sure about the "unmanaged and unaccountable" though. Firefox simply recognizes that the provider of the certificate (my company) does not match the intended target (google.com).

[–]RouterMonkeyCCNP 0 points1 point ago

Right.. Normally, the company just pushes out the 'standard' browser via the machine load with the new certs/signing authority installed, so you never even see the error. But, using a non-standard browser will give you the error.

[–]SteveJEO 0 points1 point ago

Its legal liability and accountability.

Basically any system running traffic through the network must subscribe to the same standard as any system attached to that network since the owners of the network are responsible for it and its consequences.

A managed system does this because its controlled and audited by the network before its allowed a successful connection where as an unmanaged system is just allowed to connect and can pass whatever it wants.

E.g. a managed system would have a number of checkpoints before it can connect.

1) minimum OS version.

2) software installed according to the list.

3) proscribed AV and AV version.

4) last AV run time.

5) permissions audit. (no remote connections etc)

6) software denied according to the list.

If you pass 1 trough 6 you can connect and if you fail one or two you may be shunted to a quarantine network where permissions are restricted, if you fail one or two more connections will be denied and your system will be blacklisted.

An unmanaged system is Username > password > koken or whatever > OK go...

No idea what's on that unmanaged system... dunno what its doing either and we cant tell without aggressively scanning that system and reading everything on the wire that comes from that machine.

[–]timschwartz 0 points1 point ago

What are your DNS servers set to?

http://www.skylabs.asia/google-shows-ssl-error-on-opendns-connections/

[–]mrjester 1 point2 points ago

As others have stated, it is ssl decrypt for security purposes. It allows several things such as: URL filtering, IPS/IDS inspection, data-defiltration and forensics analysis. It is very likely that if they are doing SSL decrypt, you will also not be able to run other protocols (ssh) over 80 or 443. The proxy device will ensure protocol compliance.

Many devices that do SSL Decrypt also support categorization in that they can categorically decide what connections to decrypt or not. Such as banking. Decrypting your banking traffic opens a HUGE door for liability.

[–]carlivarParticipant 0 points1 point ago

Easiest way to get around it is if you can find a TCP or UDP port open to the public Internet. Any port. Set up a SOCKS proxy out on the Internet listening on that port, and there you go. I have a linode.com host out on the Internet for general purposes like this.

If it's completely locked down, may not be possible. You could try ICMP tunneling if that's open, but it's much more complicated.

This all assumes you can even change your proxy settings. If not, you are out of luck.

Going cellular data is of course another option.

[–]bitheadIt's all bits -1 points0 points ago

MY company does this also, using IRonport. problem is, they reuse cert serial numbers., so it breaks firefox going to google.

[–]midwestgator 0 points1 point ago

It will be more and more common. Major firewall vendors pushed it out a few years ago, so a lot of companies are adopting it now.

Watch out for your banking sites if you ever use them at work. If done right finance sites should be setup to bypass SSL decryption.

[–]m1ss1ontomars2k4 0 points1 point ago

I wouldn't rush to conclusions here, unless the certificate was also for google.com. When I first sign on to certain wireless networks, my AIM client asks me if I want to accept a certificate for logon_webpage.example.com, which is obviously not the correct certificate, although it could easily be valid.

[–]goodtimes50[S] 0 points1 point ago

They're definitely certs for google.com issued by my company. No doubt about that...

[–]ehudt -2 points-1 points ago

You should try out [Ultrasurf or UltraVPN](ultrasurf.us). It's an encrypted proxy. Basically, all the traffic is encrypted, so no one can see your stuff. It was designed to bypass Chinese government censorship, and so it is very good at evading firewalls and other network screening products. I hope it helps you out...

Ultrasurf on Wikipedia

Use of this site constitutes acceptance of our User Agreement and Privacy Policy. © 2012 reddit inc. All rights reserved.

REDDIT and the ALIEN Logo are registered trademarks of reddit inc.

π Rendered by PID 8489 on app-07 running 86c9e1d.