Ben
Quite apart from the legal issues, will this even work at the technical
level? The whole point of an SSL connection is that the certificate used
for the encryption has to match the domain name the user connects to. At
the very least I'd expect the users' browsers to scream blue murder at
the mismatch, and they might well just sulk and refuse to establish the
connection at all.
And training your users to ignore certificate warnings is a really bad
idea if you want to rely on SSL encryption for your own services...
Andrew
--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation
Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399
JANET, the UK's education and research network
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Ben Plouviez
> Sent: 20 November 2008 12:22
> To: [log in to unmask]
> Subject: Monitoring of encrypted (SSL) data
>
> Has anyone got experience of a situation where an employer wants to
> use their web proxy to intercept, decrypt, check, and recrypt https
> traffic between employees and web sites they visit? The purpose of
> this is to ensure that content we would otherwise block (videos,
> executable files, anything with a virus in it) is not downloaded
> through this route, as has occurred. In other words, this is not
> exactly monitoring, but
>
> The problem is that this will mean decrypting sensitive data going
> through our proxy - potentially credit card numbers, bank account
> numbers and passwords of staff using our systems, as they may, to
> do a little online shopping or banking while at work.
>
> Any thoughts welcome!
>
> Ben
>
>
>
> ********************************************************
>
>
>
> This e-mail (and any files or other attachments transmitted with
> it) is intended solely for the attention of the addressee(s).
> Unauthorised use, disclosure, storage, copying or distribution of
> any part of this e-mail is not permitted. If you are not the
> intended recipient please destroy the email, remove any copies from
> your system and inform the sender immediately by return.
>
>
>
>
>
> Communications with the Scottish Government may be monitored or
> recorded in order to secure the effective operation of the system
> and for other lawful purposes. The views or opinions contained
> within this e-mail may not necessarily reflect those of the
> Scottish Government.
>
>
>
> ********************************************************
>
>
>
>
> The original of this email was scanned for viruses by the
> Government Secure Intranet virus scanning service supplied by
> Cable&Wireless in partnership with MessageLabs. (CCTM Certificate
> Number 2007/11/0032.) On leaving the GSi this email was certified
> virus free.
> Communications via the GSi may be automatically logged, monitored
> and/or recorded for legal purposes.
>
> ________________________________
>
> All archives of messages are stored permanently and are available
> to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the body
> of the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> * Suspending emails from all JISCMail lists: send SET * NOMAIL
> to [log in to unmask] <mailto:[log in to unmask]&BODY=SET
> * NOMAIL>
> * To receive emails from this list in text format: send SET
> data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the
> body of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to the
> list owner [log in to unmask]
>
> (Please send all commands to [log in to unmask] not the list
> or the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
>
> ________________________________
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
