[conspire] Certificate rewrite concern
Rick Moen
rick at linuxmafia.com
Mon Mar 14 15:30:56 PDT 2011
Quoting Ehud Kaldor (ehud.kaldor at gmail.com):
> A sec question: tried to go to gmail from office this morning, and got
> a certifcate warning about bad cert. When I viewed it, common name is
> Google, but issuer is my work place (using something called Product
> Interceptor).
>
> What does that mean? If I accept, will they be able to read through
> the ssl? Any idea what's behind such a move (conspiracy welcomed)?
Seems like your workplace is interposing a proxy between you and TCP port
443 (https). Could be this appliance:
http://www.scmagazineus.com/reflex-security-interceptor-1000/review/1075/
That certainly does, indeed, seem as if your employer will be able to
read your traffic to and from GMail. Control freaks? Wanting to spy
on employees and make sure they aren't sending proprietary company data
outbound? Who knows.
If you have a home Linux machine, you could reach GMail via an Stunnel
connection bounced through your Linux machine. (However, personally,
my view is, if you have a home Linux machine and static IP, what the
hell do you need GMail for in the first place?)
(Evading corporate WAN-control measures might be a termination-worthy
offence, so caveat lector.)
Here are two articles on proxy-blocking GMail, imposing on corporate
employees the sort of traffic inspection you are apparently facing:
http://appsguy.com/2009/08/07/how-to-block-gmail-but-not-apps-ssl-terminations/
http://esj.com/articles/2010/04/06/ssl-risks.aspx
Notice in corporate-speak that this is called a 'Data Loss Prevention
(DLP) appliance'.
Ultimately, if you want to have your own rights and your privacy while
using the Internet, the best way is to pay for your own independent
access. E.g., back in the day, I had a Metricom Ricochet radio modem,
and if I really wanted to gain access to the Internet independently from
my employer, I used the radio modem rather than the corporate network.
Alternatively, do your private Internet access on your own time.
Looking from their perspective, they're not paying you to use GMail,
right?
More information about the conspire
mailing list