My company reads my secure web traffic

We’ve all been told that we should use websites that encrypt their traffic. We should look for the https:// at the start of the address to make sure the site is secure and give us peace of mind. But what if your company was still monitoring your web use, even though it was secure?

If you work in a medium to large sized organisation, then there’s a fair chance that you access the internet through a proxy service. This is a server that routes (and often restricts) web traffic in such a way to protect the corporate network – and maybe minimise staff wasting half their day on Facebook!

But with encrypted sites (where the URL begins with https://) a lot of people might assume that their employer might know they are visiting a particular site, but not what they are reading, writing or downloading. However that’s not the case.

Increasingly companies are implementing a feature called SSL Interception.

When you visit a site – for example https://securesite.com/ – you would normally assume that the owner of securesite.com is the one hosting the SSL certificate that is used to encrypt the traffic between your browser and the web server.

However with SSL Interception the company’s proxy server generates SSL certificates for the sites that it’s employees visit. So when someone accesses https://securesite.com/ at work, their traffic is being encrypted by an SSL certificate generated by the proxy – and as such, the proxy server can unencrypt the traffic and examine (and log) what’s going back or forth. The proxy then re-encrypts the traffic before passing it out onto the internet to the website.

Most of the time employees don’t even notice the difference because the site still looks secure in their browser. They only find out that it’s happening if a problem occurs with the proxy server’s certificate – either that the company lets it go out of date or it’s wrongly configured – and people start seeing errors in their browser.

The only sure way to tell if SSL Interception is happening is to examine the certificate and see who issued it. You can do this in Chrome by clicking on the padlock symbol to the left of the address bar, and then click on ‘certificate’ on the popup screen.

If the certificate says it is ‘Issued to’ the site you are trying to access then your traffic isn’t being intercepted. But if the certificate says it is ‘Issued to’ someone else – such as your employer – then they are intercepting and reading your web traffic.

And as long as your employer mentions in a computer usage policy or similar that they reserve the right to monitor all web traffic, this is perfectly legal in most parts of the world.

Password length for my eir

While many online portals are embracing two-factor authentication and other security best practice, our telecoms utility eir seems determined to stop us using good quality passwords.

As you can see from the screenshot below, the self-service portal my.eir.ie doesn’t allow users to set passwords longer than 10 characters.

The error message on screen also notifies anyone (including potential hackers) that all passwords for the system are between 6 and 10 characters – which would be a massive help to anyone attempting a brute-force attack on the site, as it would reduce the number of password combinations they need to try.

This is a shocking example of bad security by design, and is a carryover from the old Meteor self-service portal. Someone at some time in the past chose to limit password length, which forces people to use short insecure passwords.

Migrating my WordPress blog to SiteGround

I was looking around for a different web hosting company, and decided to give SiteGround a try, because they seem to have a good quality service at a reasonable price.

I signed up for their GrowBig hosting plan that allows you to host multiple domains/sites on one account, and also fully supports the Let's Encrypt free SSL service

Google are keen for the whole of the web to be encrypted. They announced a few years ago that they started to boost web pages in their search results that are hosted on secure sites, and also that later this year the Chrome browser will highlight "Not Secure" web sites.

I had already played around with installing an SSL certificate for my richardbloomfield.com site, but SSL certs can be expensive to buy and maintain, and my old host would only allow me to install one cert on my shared hosting account – so I could only secure one of my domains.

To perform the migration of my WordPress blog between hosts, I followed the instructions on this page:

How to Move WordPress to a New Host or Server With No Downtime

It uses a plugin called Duplicator that does all the heavy lifting of creating a complete backup of your existing site – including the WordPress database (that stores all your posts, pages, comments, and settings), and all the WordPress files (the WordPress software itself plus any themes and plugins you've installed).

The blog installed without any problems on my new hosting account, and I was left with an exact copy of my old WordPress installation.

Then all that was left was to log into the SiteGround control panel and enable the Let's Encrypt SSL for that domain with a couple of clicks, and I was all set.

I also installed the SG Optimizer plugin that allows me to make use of the SiteGround dynamic web cache (which really speeds up my web site) and allows for a one-click option to force all blog traffic over the HTTPS secure connection.

Gmail two-factor authentication

It's interesting that Google had revealed that fewer than 10% of people using Gmail have two-factor authentication active on their account. Most people are relying on just their password to protect them!

So why should anyone be worried about their email getting hacked? A lot of people might say that their email doesn't contain anything of particular value to worry about – but they forget that your email is often the access key to every other service you use online.

Think about all the forgotten password reset forms you've ever filled in. Most of the time, all they require is for you to enter your email address, and then click on a link in the subsequent email they send you.

So, if I have access to your email account, I can start accessing all your accounts: all your social media accounts, all your online utility accounts, and maybe even some of your bank/financial accounts. I can certainly find out a lot of information about you that I could use for identity fraud.

I also have full access to all your contacts, and can approach them, pretending to be you, and try and scam them out of money or information.

So I'd certainly recommend that your email account should be the most secure account you have online – precisely because its the gateway to all your other accounts.

So what is two-factor authentication then?

Two-factor authentication requires you to enter two pieces of information to access your account. The first authentication is your password, and the second is typically something like a 4 or 6 digit code sent via SMS to your phone.

With two-factor authentication enabled, you need to have access to both your password and a physical device (your mobile/cell phone) to access your account. And so it makes it a lot harder for someone to hack into your account.

Google makes it even easier to use, in that it offers alternatives to the typical SMS code sent to your phone. You can do your second authentication by using any of these methods:

  • clicking a button on your phone
  • running an authentication code app (useful if you don't have signal to receive an SMS)
  • receiving an automated voice call to your mobile or landline
  • storing a security code on a USB stick
  • having a printed list of codes

And once you have authenticated yourself on a particular computer or device you often don't need to re-authenticate yourself for a month or more – and so it's not that big a hassle.

And to enable it, all you have to do is visit the Google 2-Step Verification site and turn it on. It takes only a few minutes, and could go a long way to securing yourself online.

What about other services?

You can enabled two-factor authentication on all major sites such as Facebook, Twitter, Instagram and LinkedIn. Your bank probably forces you to use it, or has some additional security steps to try and protect your account.

And you can visit the site Two Factor Auth to find out what online services you use have it available.

Playing around with SSL certs

Inspired by a blog post I was reading recently, I started having a play around with an SSL cert.

An SSL cert is what enables a website to encrypt the traffic to and from the end user. This improves security and trust, and I’ve read that it also improves your search rank in Google. The most notable difference to a web site visitor is that the URL of the site changes from http:// to https:// and a little padlock symbol is displayed next to the URL in the address bar.

Some SSL certs can be really expensive to buy. The ones from my own hosting provider range from €30 to €700 a year, depending on the type of cert you want. However by shopping around a bit on the web, I came across SSLs.com who sell certs from as low as $5 a year!

Buying the cert is the easy bit. Configuring it and installing it is a bit more tricky, and I couldn’t find any easy instructions online.

  • First of all you need to generate a CSR (Certificate Signing Request). When generated it looks like a really long string of random letters and numbers. Often you need to ask your web host to create the CSR for you, but I found this tool from SSL Store to generate mine. Make sure you keep the CSR and Private Key safe!
  • Back at SSLS.com you then need to activate your SSL cert – and you will be prompted to enter the CSR. Copy and paste the full value into the box provided. The SSL cert will then be generated and emailed to you in a ZIP file.
  • I installed the supplied SSL cert myself using my web host’s control panel. Make sure you install all the certs provided, together with the Private Key you supplied earlier. In the ZIP file you’ll find your domain cert and three CA certs. Install them all.

The cert should now work for your domain, and you should be able to view your site securely using https at the start of the domain.

For my WordPress site, I also installed the WP Force SSL plugin to automatically redirect non-secure traffic to the secure domain.

Anyway, so it all works, and my richardbloomfield.com site is now encrypted and secure!

In accordance with the 2011 European Union directive designed to protect your online privacy, I am required by law to check you consent to the use of cookies on this web site. Click on "Accept" to grant that consent. Click for more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close