Don’t Worry About the NSA. Worry About Your Employer…

Today, I was at a clients site and this happened while going to gingsoft.com which is a secure site with an EV SSL certificate, so rather than seeing this:

EV Certificate of gingsoft.com

gingsoft.com green lock from EV certificate

I saw this instead, red “X” https using SSL:

sslIntercept01

sslIntercept02

Your employer will have an SSL interceptor that grabs traffic between your computer and the Internet. When you surf to a site secured with SSL, the interceptor, and not your browser, will get the real SSL certificate from the web server certificate and handles setting up a perfectly good SSL connection between it and the web server. The interceptor then sends you a digital certificate, which looks like the Web server’s certificate, and sets up a “secure” connection between your browser and the interceptor.

If your employer has it set up the correctly you won’t know anything is off because they’ll have arranged to have the interceptor’s internal SSL certificate registered on your machine as a valid certificate (probably distributed by Group Policy). If not, you’ll receive a warning message, which, if you click on to continue, will accept the “fake” digital certificate, DON’T DO IT! In either case, you get a secure connection to the interceptor and not the real web site, it gets a secure connection to the outside site — and everything sent over the interceptor can be read in plain text.

1 thought on “Don’t Worry About the NSA. Worry About Your Employer…

  • Windows PC’s (and laptops) that authenticate against a Microsoft Active Directory Domain will have a harder time detecting this, because the System Administrator(s) can just add the fake cert to your computer via a Group Policy. You will have to active monitor the Root Certificate stored locally on your computer.

Leave a Reply

Your email address will not be published. Required fields are marked *