One of the interesting tidbits of information that came out of the Lenovo spyware fiasco was that companies routinely MITM SSL traffic by installing their own certificates on company computers. Unless you own and fully control the hardware you use at work, you should just assume the company can see anything you do with it, regardless of how encrypted it looks.
A lot of companies, especially smaller ones (like mine) will have a clause like that not to be jerks, but to protect themselves. We have a clause like this in our contract. Do I care if our devs spend time on Facebook, or whatever? Not really - I am interested in their output and productivity, and however they are comfortable in producing their output is fine by me.
I did have an administrative employee recently that spent all her time on Facebook, and didn't produce any useful output at all, and clearly had to be let go - we tried to work with her to improve, but she just didn't care.
Under the employment laws of the country where we operate, it is very hard to fire somebody. Performance related dismissals take forever, and are very expensive in terms of administrative, legal and opportunity costs. Larger companies can probably afford that, but small companies like ours cannot. Our choices are simple: Either spend a lot of time, money and effort in trying to get the person fired on the basis of insufficient performance, where the outcome isn't certain, and where we likely have to end up paying a few more months salary even if we are successful, or pull her up for provably excessive use of company computers during work time for private purposes, and fire her on the spot.
It goes beyond personal use. Odds are you signed an agreement that says "Anything I do using company resources is owned by the company."*
So you have to be careful for any open source work, startup ideas, etc that you may have. Don't do it at work or on your work machine (even at home).
* If your agreement says "everything you do is ours," it's already too late for you. I never sign those contracts.
Not even a second hand desktop for home use? I would expect almost all of NH new readers to have at least one or two systems at home just to play with.
Also, personally I wouldn't pay much mind to Glassdoor's rankings. I used to work for a company whose business is reporting on other companies. This place often seeks "best place to work in America" type accolades from the press. After making a deal to show Glassdoor data on their site, this company magically started topping the Glassdoor list of "best places to work" for its particular size group!
True, but it is only SNI. That won't work on Windows XP and Android 2.x. I suspect that the extra cost to get traditional SSL would be worth it for Glassdoor.
I agree with that as far as Glassdoor is concerned.
However on a more general basis: I really am done caring about people still using Windows XP. I have a little sympathy for people still on Android 2.xx because those phones got sold way too long. But Windows XP hasn't been sold for almost ten years and has been EOL for more than a few.
On this topic: Does Chrome for Android 2.xx support SNI?
Right advice, wrong reason. Any moderate sized company will be aware that SSL makes it harder for their corporate traffic monitoring to work. They don't want SSL usage to render their monitoring software useless, so they install their own SSL root certs on machines, and relentlessly MITM all SSL traffic.
In this case, how can SSL help?
More to the point, the corporation generally has a right to monitor all computer usage you do on their machines - so posting disparaging comments about them on their own machines is a particularly dumb idea - not withstanding the Google Chrome 'Incognito Mode cannot protect you against people standing behind you' warning.
What's an easy way to find out if they're doing this? Taking a look at the certs installed in my system, unless I see "BigCo MITM Cert", I don't have a ton of insight on what certs are and aren't supposed to be there.
Also, I'm not 100% on where all certs would be found, and short of looking at the trust chain on each site I visit, I'm not actually sure how to know.
I don't have a good answer to your question other than "assume they are". And that's the best answer in my opinion.
It's not just installing a cert on your machine that can MITM your SSL connection. Proxy servers can often terminate SSL connections and re-sign them before delivering the content to you as well. Just assume your workplace has the ability to monitor all of your activity on your work-owned computer, because whether they do or do not watch you, the capability for them to watch you does exist.
I definitely agree on that being the best answer - it's a pretty silly game to start playing to try and pull one over on an employer. :)
That said, I do wish there was a tool I could use to verify the cert authorities installed on a device I own or buy. On the far end of the spectrum, I've purchased a sketchy Android tablet once from AliBaba - that was rife with oddness.
Also - wouldn't a proxy terminating & then re-signing show up as a different signing authority or cert, assuming they didn't have their own authority installed on my machine?
Install something that doesn't use your system's certs (I think cURL would suffice, I forget exactly) and see if it breaks when you use it on an https URL. If it does, you're being MITMed.
Go to an SSL site and see who has signed the certificate.
Then go to the same site on your smartphone (on 3G, not wifi) and see who has signed it. Are they different?
Note, unless it is a company issued phone it should show the real certificate, but this method is only about 99% safe (in case you were tricked into install an incorrect certificate on your phone at some point).
Anybody know how to see the full certificate chain for a website on Android? I just tried it, and it isn't clear if you can, and web and app searches don't seem to show anything useful.
Would anyone be interested in a site that lets you see who signed the web server's cert from different points on the Internet? Sort of like IsItUp.com but for MITM.
That's a very good explanation of the general state of affairs.
But in my experience trying the Certificate Patrol add-on for Firefox for a few months, the ideal of "the authentic site's fingerprint" doesn't exist for big sites. It works for small sites like grc.com, but larger sites constantly present a variety of certificates. That variety seems to change every few days. Also certificate expiration times frequently change. Gibson does acknowledge "False-Positive Mismatches" but in my experience this is a big big problem that makes the single "fingerprint" idea almost useless.
A smart add-on would eliminate a lot of these false positives. E.g. if your browser has already stored a certificate for a site and the new certificate is issued by the same CA to the same entity and the only difference is a new expiration date, why not silently accept the new one, while still remembering the old expiration? That's a risk I'd be willing to take.
Same thing for multiple certificates from different issuers. I want to be warned only the first time a certificate is encountered. If the same one is encountered again next week or next month, then that's another "false-positive mismatch" that should be silently suppressed.
And, realistically, why does there need to be an add-on? Mozilla gets something like $300 million per year in funding. What are they doing with all that money, if Firefox is still so vulnerable to this nonsense?
I think it would also be valuable if sites would also publish their SSL certificate fingerprints out of band, perhaps through DNS TXT records, for verification.
Or via HTTP. Why bother with DNS? Just put them at /certs.txt and serve them over HTTP. It would be equally as secure as serving them over DNS, that is not at all.
HTTP is insecure and could be MITM. And HTTPS is no good as you don't know if you can trust the cert, as you couldn't get the fingerprints before connecting. DNSSEC is secure.
Yet, DNSSEC introduces a huge number of other problems like giving government agents even more control over the Internet. I was strongly in the DNSSEC camp until doing more research into it. I'd summon @tptacek for this discussion, but I think you've actually participated in a few of those already with him.
Certificate Patrol should also be sufficient. However, it's implemented very poorly. It should remember all certificates previously served by a site and only show you new ones. But it's constantly warning about changes that are false positives.
There is a real need for software that makes this "just work".
Well, as MITMing with their own SSL certs will give the telltale signal that the session is being MITMed.
But I'm still with you on this one. They may not necessarily have traffic monitoring on the wire, but they may monitor computer usage in another way. (Through asset management softwares, etc.)
You can monitor traffic without interception, just look for SNI extension part of SSL traffic and you'll obtain hostname (all modern browsers use SNI by default). So it's easy at least know what sites people visit.
Golden rules to live by: Never use work computers for personal use, period. Your work contract more than likely specifically includes a clause.
Been there, got the T-shirt, been escorted off the premises (for sending personal emails on work time), whilst working for large US corp. This was over 15 years ago when I was starting out and I learned a very valuable lesson.
If you are a 'trouble maker' i.e. someone who asks too many undesirable questions or rocks the boat, then HR will find a way to fire you. Your work contract protects them and not you.
I do most of my personal browsing through an RDP connection to my home computer, but something that I've been concerned about: Chrome on my work computer is logged into my personal Google account. That means all of my extensions--including a password management tool--are available to my employer should they choose to log into my computer.
The conspiracy-minded part of me worries that, with the proper motivation, they could log into my email, Glassdoor, etc accounts and defensibly snoop on me since the information was technically on one of their machines. Whether this far flung possibility warrants foregoing the convenience of having all of my bookmarks and logins with me at work is unclear.
Bring your personal laptop to work, browse only thru the "personal hotspot" feature of your cellphone. Don't use the corporate network for anything non-work-related.
You might object and say that it's obvious that you're doing "personal browsing" if you're using your personal laptop. Ok, it is obvious. So just browse during break times and lunch. You don't need to be doing extensive personal browsing from work.
Rules like this are draconian and obsolete. Expecting employees, who are in fact humans, to completely ignore their non-work lives during the majority of the day, every day, is ridiculous.
I think there's a gray area. Certainly most of the companies I've worked for have turned a blind eye to people 'stepping out' to make appointments or take a phone call on a personal cell phone.
But to post about the company on a site like Glassdoor, on company time (which was implied) and using a company computer and network, seems foolish to me. After all, you are at work, no?
If you've reached the point where HR is actively trying to find a way to fire you, that probably means you royally pissed off someone in a position of power, and your use of company equipment for personal emails is the least of your problems. If you didn't do that they would certainly find something else to fire you for.
Never use work computers
for personal use, period.
I'm 100% with you on this one.
People who ignore this are making a big mistake. Nowadays it's just too easy to bring a laptop and a cellphone to work and use the "personal hotspot" feature.
As for sending personal emails on work time, that's what breaks and lunch are for, on your personal laptop. Fifteen years ago a laptop was much more expensive and personal hotspots didn't exist. Fifteen years ago I also used company computers for sending personal emails; thankfully I never got in trouble for it.
I worked for a company (Overstock.com) that on more than one occasion, during company-wide townhalls, requested that employees use Glassdoor to review the company. The feedback was reviewed by senior management to look for places to improve.
57 comments
[ 2.5 ms ] story [ 122 ms ] threadcheck your contract. Undoubtedly they have a clause stating you must use your work device for the companies interest only.
I did have an administrative employee recently that spent all her time on Facebook, and didn't produce any useful output at all, and clearly had to be let go - we tried to work with her to improve, but she just didn't care.
Under the employment laws of the country where we operate, it is very hard to fire somebody. Performance related dismissals take forever, and are very expensive in terms of administrative, legal and opportunity costs. Larger companies can probably afford that, but small companies like ours cannot. Our choices are simple: Either spend a lot of time, money and effort in trying to get the person fired on the basis of insufficient performance, where the outcome isn't certain, and where we likely have to end up paying a few more months salary even if we are successful, or pull her up for provably excessive use of company computers during work time for private purposes, and fire her on the spot.
Does that make us jerks? I don't think so.
It goes beyond personal use. Odds are you signed an agreement that says "Anything I do using company resources is owned by the company."* So you have to be careful for any open source work, startup ideas, etc that you may have. Don't do it at work or on your work machine (even at home). * If your agreement says "everything you do is ours," it's already too late for you. I never sign those contracts.
Ref: https://news.ycombinator.com/item?id=9213831
You could use a raspberry pi at home for example
Funny, for a second I couldn't tell if this was about Glassdoor itself or the people who browse it from work.
http://www.cloudflare.com/plans
However on a more general basis: I really am done caring about people still using Windows XP. I have a little sympathy for people still on Android 2.xx because those phones got sold way too long. But Windows XP hasn't been sold for almost ten years and has been EOL for more than a few.
On this topic: Does Chrome for Android 2.xx support SNI?
There is no Chrome for Android 2.x... Chrome requires android 4.0+.
In this case, how can SSL help?
More to the point, the corporation generally has a right to monitor all computer usage you do on their machines - so posting disparaging comments about them on their own machines is a particularly dumb idea - not withstanding the Google Chrome 'Incognito Mode cannot protect you against people standing behind you' warning.
Also, I'm not 100% on where all certs would be found, and short of looking at the trust chain on each site I visit, I'm not actually sure how to know.
It's not just installing a cert on your machine that can MITM your SSL connection. Proxy servers can often terminate SSL connections and re-sign them before delivering the content to you as well. Just assume your workplace has the ability to monitor all of your activity on your work-owned computer, because whether they do or do not watch you, the capability for them to watch you does exist.
That said, I do wish there was a tool I could use to verify the cert authorities installed on a device I own or buy. On the far end of the spectrum, I've purchased a sketchy Android tablet once from AliBaba - that was rife with oddness.
Also - wouldn't a proxy terminating & then re-signing show up as a different signing authority or cert, assuming they didn't have their own authority installed on my machine?
Then go to the same site on your smartphone (on 3G, not wifi) and see who has signed it. Are they different?
Note, unless it is a company issued phone it should show the real certificate, but this method is only about 99% safe (in case you were tricked into install an incorrect certificate on your phone at some point).
I mean, you _can_ check it, 99% of people including myself will let it slip their mind.
doesn't work terribly well in practice though.
http://convergence.io/
although there are a lot of issues[0] on it's github page which seem to be unaddressed.
[0] - https://github.com/moxie0/Convergence/issues
But in my experience trying the Certificate Patrol add-on for Firefox for a few months, the ideal of "the authentic site's fingerprint" doesn't exist for big sites. It works for small sites like grc.com, but larger sites constantly present a variety of certificates. That variety seems to change every few days. Also certificate expiration times frequently change. Gibson does acknowledge "False-Positive Mismatches" but in my experience this is a big big problem that makes the single "fingerprint" idea almost useless.
A smart add-on would eliminate a lot of these false positives. E.g. if your browser has already stored a certificate for a site and the new certificate is issued by the same CA to the same entity and the only difference is a new expiration date, why not silently accept the new one, while still remembering the old expiration? That's a risk I'd be willing to take.
Same thing for multiple certificates from different issuers. I want to be warned only the first time a certificate is encountered. If the same one is encountered again next week or next month, then that's another "false-positive mismatch" that should be silently suppressed.
And, realistically, why does there need to be an add-on? Mozilla gets something like $300 million per year in funding. What are they doing with all that money, if Firefox is still so vulnerable to this nonsense?
There is a real need for software that makes this "just work".
But I'm still with you on this one. They may not necessarily have traffic monitoring on the wire, but they may monitor computer usage in another way. (Through asset management softwares, etc.)
Been there, got the T-shirt, been escorted off the premises (for sending personal emails on work time), whilst working for large US corp. This was over 15 years ago when I was starting out and I learned a very valuable lesson.
If you are a 'trouble maker' i.e. someone who asks too many undesirable questions or rocks the boat, then HR will find a way to fire you. Your work contract protects them and not you.
Know your employer.
I, for example, have no interest in working for a company where casual personal communication would get a person fired.
Bosses came and went. I was naïve.
Surprisingly, this is especially true if the bosses are the original founders.
So you have to be careful for any open source work, startup ideas, etc that you may have. Don't do it at work or on your work machine (even at home).
* If your agreement says "everything you do is ours," it's already too late for you. I never sign those contracts.
The conspiracy-minded part of me worries that, with the proper motivation, they could log into my email, Glassdoor, etc accounts and defensibly snoop on me since the information was technically on one of their machines. Whether this far flung possibility warrants foregoing the convenience of having all of my bookmarks and logins with me at work is unclear.
That's not very smart...
Bring your personal laptop to work, browse only thru the "personal hotspot" feature of your cellphone. Don't use the corporate network for anything non-work-related.
You might object and say that it's obvious that you're doing "personal browsing" if you're using your personal laptop. Ok, it is obvious. So just browse during break times and lunch. You don't need to be doing extensive personal browsing from work.
But to post about the company on a site like Glassdoor, on company time (which was implied) and using a company computer and network, seems foolish to me. After all, you are at work, no?
People who ignore this are making a big mistake. Nowadays it's just too easy to bring a laptop and a cellphone to work and use the "personal hotspot" feature.
As for sending personal emails on work time, that's what breaks and lunch are for, on your personal laptop. Fifteen years ago a laptop was much more expensive and personal hotspots didn't exist. Fifteen years ago I also used company computers for sending personal emails; thankfully I never got in trouble for it.