'Fraid this is technically quite possible.
What effectively happens is that the proxy server identifies that a
client on our network has requested an HTTPS session, and creates a
session between itself and the client, and another one (passing through
the authentication information, ie password etc) between itself and the
remote site. As far as I'm concerned, I'm logged onto my banking site
(and my browser shows the padlock), but if I examine the certificate, it
will actually be the Scottish Government, not Barclays, who owns it.
During the session, the proxy server keeps passing information between
the session it's running with my PC and the session it's running with
Barclays. This allows it to pass the HTTPS traffic through to a virus
scanner while it is unencoded. The client machine is (correctly)
completely confident in its connection, because it's communicating with
a trusted site - the proxy server. Ditto the banking site.
This can only be done between client and proxy server within the
network, so it isn't a flaw in SSL, it's simply that we can control and
can therefore change the trust relationships.
Apparently not uncommon in corporate bodies to do this. But at the point
of transition between the two SSL connections, it is processing the
information without encryption - and that could include credit card etc
details (these are not stored, of course). I guess the question is, how
legal is this, and if legal whether, what and how we should tell people
about it.
Ben
-----Original Message-----
From: Andrew Cormack [mailto:[log in to unmask]]
Sent: 20 November 2008 17:12
To: Plouviez B (Ben); [log in to unmask]
Subject: RE: Monitoring of encrypted (SSL) data
*******************************************************************
This email has been received from an external party and has been swept
for the presence of computer viruses.
*******************************************************************
Ben
Quite apart from the legal issues, will this even work at the technical
level? The whole point of an SSL connection is that the certificate used
for the encryption has to match the domain name the user connects to. At
the very least I'd expect the users' browsers to scream blue murder at
the mismatch, and they might well just sulk and refuse to establish the
connection at all.
And training your users to ignore certificate warnings is a really bad
idea if you want to rely on SSL encryption for your own services...
Andrew
--
Andrew Cormack, Chief Regulatory Adviser JANET(UK), Lumen House, Library
Avenue, Harwell Science and Innovation Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399
JANET, the UK's education and research network
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Ben Plouviez
> Sent: 20 November 2008 12:22
> To: [log in to unmask]
> Subject: Monitoring of encrypted (SSL) data
>
> Has anyone got experience of a situation where an employer wants to
> use their web proxy to intercept, decrypt, check, and recrypt https
> traffic between employees and web sites they visit? The purpose of
> this is to ensure that content we would otherwise block (videos,
> executable files, anything with a virus in it) is not downloaded
> through this route, as has occurred. In other words, this is not
> exactly monitoring, but
>
> The problem is that this will mean decrypting sensitive data going
> through our proxy - potentially credit card numbers, bank account
> numbers and passwords of staff using our systems, as they may, to do a
> little online shopping or banking while at work.
>
> Any thoughts welcome!
>
> Ben
>
>
>
> ********************************************************
>
>
>
> This e-mail (and any files or other attachments transmitted with
> it) is intended solely for the attention of the addressee(s).
> Unauthorised use, disclosure, storage, copying or distribution of any
> part of this e-mail is not permitted. If you are not the intended
> recipient please destroy the email, remove any copies from your system
> and inform the sender immediately by return.
>
>
>
>
>
> Communications with the Scottish Government may be monitored or
> recorded in order to secure the effective operation of the system and
> for other lawful purposes. The views or opinions contained within this
> e-mail may not necessarily reflect those of the Scottish Government.
>
>
>
> ********************************************************
>
>
>
>
> The original of this email was scanned for viruses by the Government
> Secure Intranet virus scanning service supplied by Cable&Wireless in
> partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.)
> On leaving the GSi this email was certified virus free.
> Communications via the GSi may be automatically logged, monitored
> and/or recorded for legal purposes.
>
> ________________________________
>
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the body of
> the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> * Suspending emails from all JISCMail lists: send SET * NOMAIL
> to [log in to unmask] <mailto:[log in to unmask]&BODY=SET
> * NOMAIL>
> * To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
> of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to the
> list owner [log in to unmask]
>
> (Please send all commands to [log in to unmask] not the list or
> the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
>
> ________________________________
JANET(UK) is a trading name of The JNT Association, a company limited by
guarantee which is registered in England under No. 2881024 and whose
Registered Office is at Lumen House, Library Avenue, Harwell Science and
Innovation Campus, Didcot, Oxfordshire. OX11 0SG
This email was received from the INTERNET and scanned by the Government
Secure Intranet anti-virus service supplied by Cable&Wireless in
partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) In
case of problems, please call your organisation s IT Helpdesk.
Communications via the GSi may be automatically logged, monitored and/or
recorded for legal purposes.
********************************************************
This e-mail (and any files or other attachments transmitted with it) is intended solely for the attention of the addressee(s). Unauthorised use, disclosure, storage, copying or distribution of any part of this e-mail is not permitted. If you are not the intended recipient please destroy the email, remove any copies from your system and inform the sender immediately by return.
Communications with the Scottish Government may be monitored or recorded in order to secure the effective operation of the system and for other lawful purposes. The views or opinions contained within this e-mail may not necessarily reflect those of the Scottish Government.
********************************************************
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless in partnership with MessageLabs. (CCTM Certificate Number 2007/11/0032.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|