Can my company see what HTTPS sites I went to?

An encrypted connection is established first before any HTTP requests are performed (e.g. GET, POST, HEAD, etc.), but the hostname and port are visible.

There are many other ways to detect which sites you’re visiting as well, for example:

  • your DNS queries (i.e. they’ll see the IP request for secure.example.com)
  • via network monitoring (e.g. netflow, IP to IP sessions, sniffing, etc.)
  • if the device you are working on is owned by the company and they have administrator access/privileges to view anything on the device (e.g. view your browser caches)

A popular way to evade a Websense proxy is to first establish a connection via HTTPS to an outside proxy (e.g. https://proxy.org/) and make your request from there.


It is possible, but it requires some setup. Here is how it is done, and how you can tell.

On a corporate computer, where software updates are pushed from a central location, it is possible to send to your computer a "trusted" certificate that will be stored next to the trusted certificate of say, Verising or Entrust.

Your company's proxy will hold the private key of that certificate.

When you visite a HTTPS web site, like https://mybank.com/, the proxy will put itself in the middle. It will establish a HTTPS connection with your browser generating on the fly a certificate for mybank.com. It will replay (and possibly monitor or log) all you traffic on a new connexion, from the proxy to mybank.com.

You can tell if this is the case by looking at the padlock icon. If you see that the certificate for mybank.com was issued by acmesprockets.com (the name of your company), then you know they can see your "encrypted" traffic. But since you company can force your computer to trust any certificate, they could create a certificate using a well known name, like "Entrust.net Secure Server Certification Authority" (even if that would probably be illegal under some trademark law).

So how can you tell? After connecting to the website, look at the certificate. Details vary for each browser, but clicking on the padlock icon next to https is usually the place to start. From that certificate, find the certificate thumbprint and look it up online. Better yet, do the same thing with the certificate authority. If you don't find the certificate thumbpring online (but you can when you are at home or on your phone), chances are your HTTPS traffic is decrypted along the way.


Simple Proxy Servers

Even a simple proxy will see and log the names of the servers. For example visiting https://example.com/some/address.html will create a request like this from the browser to the proxy server:

CONNECT example.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) ...
Proxy-Connection: keep-alive
Host: example.org

The rest of the connection is encrypted and a simple proxy just forwards it.

.

Complex Proxy Servers

There are, however, more complex proxy servers, that are able to see the complete traffic in plain text. These kinds of proxy servers, however, require that you have a root certificate installed for which they can create server certificates on the fly.

Looking at the certificate chain in the browser usually reveals this kind of man in the middle attack. At least in the common case of it being done by your own company and not state agencies:

Proxy in the Middle with custom root certificate

Tags:

Http

Proxy

Tls

Recent Posts