Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Superfish opens another can of worms in MITM attacks

Comments

  • #2
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    There is another crowd that does this too. I remember reading about their product offering long ago because our company uses them for something else. I found it a bit terrifying that a company could MITM its employees without them knowing. I will dig it out today.


  • #3
    Impetus
    Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Khannie wrote: »
    There is another crowd that does this too. I remember reading about their product offering long ago because our company uses them for something else. I found it a bit terrifying that a company could MITM its employees without them knowing. I will dig it out today.

    Companies are doing MITM to employees PCs all the time to get inside the TLS traffic. Do you trust your employer? Where is the MITM attack taking place? (eg in the US - outside of EU data privacy controls?) You need to check the certificate when you do things like ebanking to see it is issued to your bank or someone else (eg your company). Companies put their own trusted certificate authorities in employees' PCs - so your browser keeps silent on the matter. Even google searches are "secure" (ie TLS) - I wouldn't want an employer to be logging my search words after hacking the link between my PC and google.


  • #4
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Impetus wrote: »
    Companies are doing MITM to employees PCs all the time to get inside the TLS traffic

    In Ireland they're required to inform if you if they're doing this, thankfully.


  • #5
    Impetus
    Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Khannie wrote: »
    In Ireland they're required to inform if you if they're doing this, thankfully.

    I suspect that not 100% of companies actually advise employees of this. It could be standard policy on a system based in the US - in a company with a "close your eyes and drive on" mentality. Nobody is checking compliance, probably.


  • #6
    Khannie
    Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I'm sure most people would sue the arse out of a company that was intercepting their HTTPS encrypted traffic and not informing them about it. Sure people send private emails in work. Just because it's the company's envelope doesn't give them the right to open it. ;)


  • Advertisement
  • #7
    Blowfish
    Registered Users, Registered Users 2 Posts: 5,112 ✭✭✭Blowfish


    Khannie wrote: »
    In Ireland they're required to inform if you if they're doing this, thankfully.
    They are, but realistically it's done with very broad language along the lines of having something like 'x company reserves the right to monitor internet use while using x companies assets' in their IT Acceptable Use Policies. Most people would have no idea of the actual significance of something like that.


  • #8
    brianwalshcork
    Registered Users, Registered Users 2 Posts: 607 ✭✭✭brianwalshcork


    The reality is that if you're in a company with anything more than a eircom DSL box on the wall, your HTTPS traffic is more than likely being MITM'd but not for nefarious purposes...
    Most content filters have an option to intercept https traffic and inspect it for malware.


Advertisement