On 4/5/2013 12:45 PM, Lonnie Olson wrote: > On Fri, Apr 5, 2013 at 12:28 PM, Barry Roberts <b...@robertsr.us> wrote: >> It's cake until you have to add that cert to your jvm keystore, and >> configure git to work when ssl certs don't match, and configure your >> package management, and so on, and so on. Working for a large public >> company sucks sometimes (?). Filtering employee web access is considered >> standard now. > Agreed. It does suck. Also even more worrisome is that this SSL MITM > filtering means it's possible and trivial for your company to log, > sniff, and eavesdrop on your private HTTPS connections, including your > banking info, private web mail sessions, etc. > > My company has brought up the subject of enabling this feature several > times, I have to fight hard every time to prevent it. So far I have > been successful. Filtering unencrypted web sessions doesn't bother > me, but don't mess with SSL. It breaks trust with users, opens new > holes in security, prevents true site verification, and is just plain > creepy (IANAL). > > Some notes on getting around corporate filtering or snooping:
First, it's your webmail, but not your internet connection. How its used is their business and their right to allow you to do X or Y with it. From that perspective it's not creepy unless they're reading your email for other purposes (which you have to allow them to do, by accessing your email from their network). You don't have to do those not-at-all-work-related things at work, regardless of what excuse you come up with that makes it inconvenient for you that you think makes their paranoia unjust. In other perspectives, just about every small company is one lost-lawsuit-as-a-result-of-a-printed-porn-image away from ceasing to operate. Again, ultra-paranoid, but if we can go to one extreme, we can go to the other just as easy. That said, open an SSH tunnel on an allowed port or use a cell phone with tethering to access your mail/bank/whatever. EVERY network has allowed ports, and some things simply aren't proxied/intercepted because they're not understood by the software engineers that write these things, but some line-of-business app uses 15832 or whatever and for some reason it goes to a non-static or unknown IP every time it connects, so it has to be open to everywhere or something. If your corporate network is so incredibly tied down that you literally can only access 80/443, well, that's sort of weird but you can always get another job if that's just too much. Some people leave over benefits, others over dress code, this can't be that far off. Another way I've seen works for some people is to setup a web proxy at home on a home dns address. There's a number of open source proxies that are easy to use and just run through a browser. There's issues, but they tend to at least get around filtering. I once read about a project that was going to use http POSTS to send SSH traffic for totally crazy filtering, but I figure that would be easy to see pattern matched, so I'm not sure if it would get written once someone has that simple realization. OpenVPN, before someone mentions it, is rarely a good route around filtering. It's REALLY easy to pattern match the protocol, and I've seen a lot of filters that will look for it or other VPN traffic. SSH is typically (typically mind you) more effective because it's difficult to MITM ahead of time and is used in so many administration efforts. Which ones do you filter? Food for thought. -Tod Hansmann /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
