I’m curious, if my employer is monitoring the computer I use (I have to consent to monitoring before logging in each time), and issues the certificate on https sites I visit (company proxy issued), if E2EE communication works, or if it is compromised because the transportation is compromised?
For example: I access my prosody xmpp server via that computer (compromising my user name and password as the certificate for secure transport issued by my employers local proxy with the intent to monitor traffic) and have E2EE communications on it.
Are those communications only legible to the sender and recipient in this situation? I know the encrypted transport is compromised by my employer, but what about the actual content being shared?
That would depend on how they do the encryption. I’m not familiar with prosody specifically, but I have seen some applications that claim end to end encryption where TLS is the encryption from endpoint to endpoint. If your employer is doing ssl decrypt on the network then the content would be compromised.
If the application does a second encryption inside of the TSL tunnel then the content would not be compromised, HOWEVER, if the platform stores a copy of your keys (as some do), then the compromised credentials would give your employer access to those keys and potentially the content if stored by the platform as well.
You may be able to use TOR to get around this problem; though many companies I’ve seen that deploy ssl decrypt also block TOR traffic this negating this option.
@OpojOJirYAlG is correct. For a little more detail in how this attack works, check out the information on the Squid Proxy’s Peek and Splice feature.
You can check if your employer is doing this attack by looking at the site’s certificate chain. In Firefox for example, there is a ‘lock’ icon next to the URL in the address bar. Click that, then click the ‘arrow’ button to the right of the connection details. It’ll tell you which Certificate Authority has signed the site’s certificate being used. From here you can also click the ‘More Information’ button to view the whole certificate and its chain. There are different steps to do the same thing in other browsers.
A telltale sign that the company can see your decrypted SSL traffic is that the root CA will be the same for every site you visit. The name of the root CA certificate might also give it away.
Or my former company if you wanted to take your phone on the shop floor you had to get the company approved “app” on your phone. They could brick your phone.
Yeah I know they are. I forgot to put a comma in the first sentence. hahahaha.
I was just curious if E2EE was somehow able to circumvent the man in the middle, which it is in the case of push notifications, etc. But in my case I forgot that the computer I’m on uses a keylogger, and the company has local administrator access on the machine. So even if it worked during transport, they could simply look at the keylogger data or access the keys from the local machine.
Basically if you consent to monitoring you are screwed regardless.
It’s funny you brought up this topic since it’s one I have to deal with at work as well. I’ve been thinking of ways to protect my privacy on a system that decrypts SSL traffic. I haven’t come up with anything to try just yet.
The only thing I can think of that might work in your situation is to somehow use a One Time Pad device to authenticate to your E2EE system. That way you have a second layer of encrypted traffic and the keylogger is useless since the passcode will change after a short time.
On a side note, I wonder if organizations that employ this type of surveillance realize what kind of a risk they have brought upon themselves. If that traffic is ever compromised then basically their entire infrastructure is at risk; and possibly they could be subject to lawsuits if personal information is stolen in an attack or abused by an insider threat. In your case of an ‘approved’ keylogger, that means their antivirus and/or HIDS/HIPS has been trained to ignore these programs. Very risky if an unauthorized piece of malware finds its way on the system and is then given the same pass from those protection algorithms.
The short answer, yes they have and most have a few things in place on this front.
An advanced enough attacker to get into the cert infrastructure and compromise the network is not a part of most companies threat models. This isn’t that common of an attack, it’s still much easier to just ask someone for their password.
Regarding potential loss of individual information due to compromise of work systems: The primary 2 things are exclusion lists for banking websites (and others as a given company sees fit). As well as policies stating work computers aren’t for personal use which limits their liability for data compromised from the users missuse of the systems.
If you have a compromised device and/or a compromised network, don’t use them for anything you want to keep confidential.
Its easy enough to follow the certificate path to see who signed the certificate you have been issued. If the signing authority is your company or an internal certificate, plus they installed a root cert on your device then yes, its likely that they are inspecting inside TLS/SSL. If not, then they probably should be. Most C2 traffic we see these days uses TLS so its important to inspect the data appropriately if you are hoping to protect your network from compromize. Depending on the technology stack used, some go down the route of using huristics (such as cisco talos) while other such as palo alto’s NGFW actually do decryption on the fly (without the need for a socks proxy). IMO PA are better at detecting C2 than Cisco. Regardless, the risks to sensitive information can be managed with SSL/TLS inspection - if you dont like it, then dont browse bad stuff on your work computer.
I do not have any problems with it. In fact I 100% support it. Specifically given the purpose of the company I work for. Furthermore, my concern is about maintaining privacy in personal discussions, and whether or not such a thing is even possible in such a scenario.
This is a slight oversimplification. It would theoretically be possible to use PGP or other encryption independent of the system/network to encrypt/decrypt messages but ease of use drops off dramatically.
I didn’t bring that up earlier because I just hadn’t thought about it since the original question seemed to be about whether or not an applications built in end to end encryption was independent of the network or not, and for that; it depends.
If privacy of the communication matters then don’t use a computer provided by your employer. BYOD if that is allowed. If BYOD is not allowed then try using your Librem 5 docked.
If E2EE were the only consideration in this scenario then some types of additional SSL security (like HSTS or certificates published in the DNS) might detect the bogus endpoint. However if you have to use this computer then you either accept the lack of privacy or you accept that you are being DoSed (since all connections would fail as bogus).
Most places I’ve dealt with doing this level of monitoring require you let them put their agent with full system level admin rights on your device so BYOD may not get around the problem.
Yes, if bogus TLS endpoint is the only problem then any other encryption protocol probably works around it but those are probably being blocked. Tight sites may allow port 80 and port 443 only (and port 443 is MITM attacked).
It goes without saying that you must never do any internet banking from such a computer. At best that would be reckless. At worst that would be a breach of the conditions of use - and could leave you personally exposed if one of your bank accounts gets hacked.
More generally you must never do anything important from such a computer.
You should be wary of using any web site that requires a password from such a computer - since you are sharing your password with your employer.
I should add that while you are correct, I trust my employer. And beyond that consent to monitoring does not mean that individuals who exploit information gained through that monitoring aren’t breaking the law. They are. I’ve known 2 people who were sent to prison for doing that very thing.
Maybe more to the point … you trust all the people who work for your employer and, dare I say it, anyone who hacks in (so you better hope there aren’t any).
Sadly, people are flawed. They develop gambling addictions. They develop drug addictions. In that kind of situation it doesn’t matter at all to them that they are breaking the law, and you are unlikely ever to see the money back.