Getting around snooping at work (was: Web Filtering)

Tod Hansmann plug.org at todandlorna.com
Fri Apr 5 23:58:53 MDT 2013


On 4/5/2013 12:45 PM, Lonnie Olson wrote:
> On Fri, Apr 5, 2013 at 12:28 PM, Barry Roberts <blr at robertsr.us> wrote:
>> It's cake until you have to add that cert to your jvm keystore, and
>> configure git to work when ssl certs don't match, and configure your
>> package management, and so on, and so on.  Working for a large public
>> company sucks sometimes (?).  Filtering employee web access is considered
>> standard now.
> Agreed.  It does suck.  Also even more worrisome is that this SSL MITM
> filtering means it's possible and trivial for your company to log,
> sniff, and eavesdrop on your private HTTPS connections, including your
> banking info, private web mail sessions, etc.
>
> My company has brought up the subject of enabling this feature several
> times, I have to fight hard every time to prevent it.  So far I have
> been successful.  Filtering unencrypted web sessions doesn't bother
> me, but don't mess with SSL.  It breaks trust with users, opens new
> holes in security, prevents true site verification, and is just plain
> creepy (IANAL).
>
>
Some notes on getting around corporate filtering or snooping:

First, it's your webmail, but not your internet connection.  How its 
used is their business and their right to allow you to do X or Y with 
it.  From that perspective it's not creepy unless they're reading your 
email for other purposes (which you have to allow them to do, by 
accessing your email from their network).  You don't have to do those 
not-at-all-work-related things at work, regardless of what excuse you 
come up with that makes it inconvenient for you that you think makes 
their paranoia unjust.  In other perspectives, just about every small 
company is one lost-lawsuit-as-a-result-of-a-printed-porn-image away 
from ceasing to operate.  Again, ultra-paranoid, but if we can go to one 
extreme, we can go to the other just as easy.

That said, open an SSH tunnel on an allowed port or use a cell phone 
with tethering to access your mail/bank/whatever.  EVERY network has 
allowed ports, and some things simply aren't proxied/intercepted because 
they're not understood by the software engineers that write these 
things, but some line-of-business app uses 15832 or whatever and for 
some reason it goes to a non-static or unknown IP every time it 
connects, so it has to be open to everywhere or something.  If your 
corporate network is so incredibly tied down that you literally can only 
access 80/443, well, that's sort of weird but you can always get another 
job if that's just too much.  Some people leave over benefits, others 
over dress code, this can't be that far off.

Another way I've seen works for some people is to setup a web proxy at 
home on a home dns address.  There's a number of open source proxies 
that are easy to use and just run through a browser. There's issues, but 
they tend to at least get around filtering.  I once read about a project 
that was going to use http POSTS to send SSH traffic for totally crazy 
filtering, but I figure that would be easy to see pattern matched, so 
I'm not sure if it would get written once someone has that simple 
realization.

OpenVPN, before someone mentions it, is rarely a good route around 
filtering.  It's REALLY easy to pattern match the protocol, and I've 
seen a lot of filters that will look for it or other VPN traffic. SSH is 
typically (typically mind you) more effective because it's difficult to 
MITM ahead of time and is used in so many administration efforts.  Which 
ones do you filter?  Food for thought.

-Tod Hansmann


More information about the PLUG mailing list