My company reads my secure web traffic

We’ve all been told that we should use websites that encrypt their traffic. We should look for the https:// at the start of the address to make sure the site is secure and give us peace of mind. But what if your company was still monitoring your web use, even though it was secure?

If you work in a medium to large sized organisation, then there’s a fair chance that you access the internet through a proxy service. This is a server that routes (and often restricts) web traffic in such a way to protect the corporate network – and maybe minimise staff wasting half their day on Facebook!

But with encrypted sites (where the URL begins with https://) a lot of people might assume that their employer might know they are visiting a particular site, but not what they are reading, writing or downloading. However that’s not the case.

Increasingly companies are implementing a feature called SSL Interception.

When you visit a site – for example https://securesite.com/ – you would normally assume that the owner of securesite.com is the one hosting the SSL certificate that is used to encrypt the traffic between your browser and the web server.

However with SSL Interception the company’s proxy server generates SSL certificates for the sites that it’s employees visit. So when someone accesses https://securesite.com/ at work, their traffic is being encrypted by an SSL certificate generated by the proxy – and as such, the proxy server can unencrypt the traffic and examine (and log) what’s going back or forth. The proxy then re-encrypts the traffic before passing it out onto the internet to the website.

Most of the time employees don’t even notice the difference because the site still looks secure in their browser. They only find out that it’s happening if a problem occurs with the proxy server’s certificate – either that the company lets it go out of date or it’s wrongly configured – and people start seeing errors in their browser.

The only sure way to tell if SSL Interception is happening is to examine the certificate and see who issued it. You can do this in Chrome by clicking on the padlock symbol to the left of the address bar, and then click on ‘certificate’ on the popup screen.

If the certificate says it is ‘Issued to’ the site you are trying to access then your traffic isn’t being intercepted. But if the certificate says it is ‘Issued to’ someone else – such as your employer – then they are intercepting and reading your web traffic.

And as long as your employer mentions in a computer usage policy or similar that they reserve the right to monitor all web traffic, this is perfectly legal in most parts of the world.