Spying on SSL

ArsTechnica had a nice write-up regarding a recently uncovered hardware device that facilitated man-in-the-middle attacks for SSL. The fact that this is possible is nothing new. The fact that it now exist in hardware seemingly is.

While the article focuses on the government spying angle, this exact same thing applies to corporate spying. For the sake of example, presume I'm working in an identical role in EvilCorp. EvilCorp does what quite a lot of corporate America does and restricts employee access to the internet. They take it to the extra step of attempting to stop 'information leaks' of proprietary documents. While systems to do this for SMTP-based email are commonly available, blocking webmail access is another issue. One option is to subscribe to a webmail block-list that update your filtering appliance with sites to block users from. Another option is to allow them to access it, but be sure they're not selling you out to MoreEvilCorp.

To do this, you need a mandatory HTTP proxy. Dead easy to implement in the modern network. Second, you need access to a Certificate Authority trusted by your peons. If you're running Active Directory (and really, what self-respecting EvilCorp wouldn't?) then you have a trusted CA built into your infrastructure. Third, you need a software package (or maybe a, say, hardware appliance) that'll generate a certificate signed by your own CA to gmail.com, talk SSL to the client, and then create an SSL session with the real gmail.com, allowing you to sniff their personal email free of that dreadful encryption.

This appliance sounds like an all-in-one hardware appliance designed to do exactly what a lot of Companies would really like to start doing. And what's good for Corporate spying is good for the spooks (for whom it is more likely to be illegal).