The OP asked whether IT can read his/her web emails, the answer is no, for all practical purposes.
Getting around SSL sessions is not what the OP asked for. So don't get your panties in a bunch because I actually gave a valid answer.
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Unless you are in very high position within the company, I fail to see how they would spend huge amount of resources to decrypt SSL.
People paranoid in security tend to forget the most important factor in all of security: there is always a way, but at what cost?
Most people are not important enough to justify that cost. The human factor is the most important aspect of security, not technicality.
Like I said before, it depends on where you work and what sort of confidential information you have access to. You'd better believe they monitor a lot more than 'high ranking' people these days.
Everybody access Gmail, Hotmail or Yahoo at work. In a typical 10k person company, I fail to see how they have the resources to read everybody's email. They would have several dozen supercomputers to decrypt all that much traffic. Then, you would actually need people to read it.
No, there is no need for a supercomputer nor any person to read the emails.. scripts can easily be written to snag certain data which is then read by a human.
Educate yourself:
http://www.bluecoat.de/downloa...epapers/BCS_SSL_wp.pdf
The device looks like this:
http://www.bluecoat.com/downlo...SG_8100_shadow_med.jpg
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Furthermore, like I said it totally depends on the company you work for. Do you think for example that Mastercard would filter an employee's gmail for credit card numbers? Yes.
People that make less than 10 dollars an hour have access to countless credit card numbers at any given time during the day, these are certainly not high ranking positions in a company, these are the first level people you get when you call any CC company.
Like I said before, this is just one small example, think of what other protected company data is out there. Don't think you're safe because you're using SSL, it's not realistic anymore.
I briefly skimmed over the whitepaper, I may have missed it, but it looks like a device that governs SSL sessions rather than decrypt them?
I can't find the part where it says the contents are decrypted?
:roll::roll::roll:
Now you're just being obtuse, where did I ever say 'decrypt SSL'? If you notice the first time I even mentioned it:
Originally posted by: Platypus
They certainly can and certainly do depending on the company you work for. I work for a large financial corporation so our emails are constantly scrutinized for example.
Bottom line, don't do stuff at work you wouldn't want your boss reading... but they're not filtering every message you send from webmail services for example. It's quite simple for them to get around SSL encryption used by Gmail or other webmail providers and they can and will do it. If you're an unpopular person within the company or you do something that gets you written up you better believe they'll be monitoring your email/web traffic to collect anything they might need to get rid of you.
It's one thing to be ignorant and educate yourself, it's another to continue to be arrogant when you have nothing to contribute to a conversation.
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Unless you are in very high position within the company, I fail to see how they would spend huge amount of resources to decrypt SSL.
People paranoid in security tend to forget the most important factor in all of security: there is always a way, but at what cost?
Most people are not important enough to justify that cost. The human factor is the most important aspect of security, not technicality.
Like I said before, it depends on where you work and what sort of confidential information you have access to. You'd better believe they monitor a lot more than 'high ranking' people these days.
Everybody access Gmail, Hotmail or Yahoo at work. In a typical 10k person company, I fail to see how they have the resources to read everybody's email. They would have several dozen supercomputers to decrypt all that much traffic. Then, you would actually need people to read it.
No, there is no need for a supercomputer nor any person to read the emails.. scripts can easily be written to snag certain data which is then read by a human.
Educate yourself:
http://www.bluecoat.de/downloa...epapers/BCS_SSL_wp.pdf
The device looks like this:
http://www.bluecoat.com/downlo...SG_8100_shadow_med.jpg
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Furthermore, like I said it totally depends on the company you work for. Do you think for example that Mastercard would filter an employee's gmail for credit card numbers? Yes.
People that make less than 10 dollars an hour have access to countless credit card numbers at any given time during the day, these are certainly not high ranking positions in a company, these are the first level people you get when you call any CC company.
Like I said before, this is just one small example, think of what other protected company data is out there. Don't think you're safe because you're using SSL, it's not realistic anymore.
I briefly skimmed over the whitepaper, I may have missed it, but it looks like a device that governs SSL sessions rather than decrypt them?
I can't find the part where it says the contents are decrypted?
:roll::roll::roll:
Now you're just being obtuse, where did I ever say 'decrypt SSL'? If you notice the first time I even mentioned it:
Originally posted by: Platypus
They certainly can and certainly do depending on the company you work for. I work for a large financial corporation so our emails are constantly scrutinized for example.
Bottom line, don't do stuff at work you wouldn't want your boss reading... but they're not filtering every message you send from webmail services for example. It's quite simple for them to get around SSL encryption used by Gmail or other webmail providers and they can and will do it. If you're an unpopular person within the company or you do something that gets you written up you better believe they'll be monitoring your email/web traffic to collect anything they might need to get rid of you.
It's one thing to be ignorant and educate yourself, it's another to continue to be arrogant when you have nothing to contribute to a conversation.
The OP asked whether IT can read his/her web emails, the answer is no, for all practical purposes.
Getting around SSL sessions is not what the OP asked for. So don't get your panties in a bunch because I actually gave a valid answer.
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Unless you are in very high position within the company, I fail to see how they would spend huge amount of resources to decrypt SSL.
People paranoid in security tend to forget the most important factor in all of security: there is always a way, but at what cost?
Most people are not important enough to justify that cost. The human factor is the most important aspect of security, not technicality.
Like I said before, it depends on where you work and what sort of confidential information you have access to. You'd better believe they monitor a lot more than 'high ranking' people these days.
Everybody access Gmail, Hotmail or Yahoo at work. In a typical 10k person company, I fail to see how they have the resources to read everybody's email. They would have several dozen supercomputers to decrypt all that much traffic. Then, you would actually need people to read it.
No, there is no need for a supercomputer nor any person to read the emails.. scripts can easily be written to snag certain data which is then read by a human.
Educate yourself:
http://www.bluecoat.de/downloa...epapers/BCS_SSL_wp.pdf
The device looks like this:
http://www.bluecoat.com/downlo...SG_8100_shadow_med.jpg
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Furthermore, like I said it totally depends on the company you work for. Do you think for example that Mastercard would filter an employee's gmail for credit card numbers? Yes.
People that make less than 10 dollars an hour have access to countless credit card numbers at any given time during the day, these are certainly not high ranking positions in a company, these are the first level people you get when you call any CC company.
Like I said before, this is just one small example, think of what other protected company data is out there. Don't think you're safe because you're using SSL, it's not realistic anymore.
I briefly skimmed over the whitepaper, I may have missed it, but it looks like a device that governs SSL sessions rather than decrypt them?
I can't find the part where it says the contents are decrypted?
:roll::roll::roll:
Now you're just being obtuse, where did I ever say 'decrypt SSL'? If you notice the first time I even mentioned it:
Originally posted by: Platypus
They certainly can and certainly do depending on the company you work for. I work for a large financial corporation so our emails are constantly scrutinized for example.
Bottom line, don't do stuff at work you wouldn't want your boss reading... but they're not filtering every message you send from webmail services for example. It's quite simple for them to get around SSL encryption used by Gmail or other webmail providers and they can and will do it. If you're an unpopular person within the company or you do something that gets you written up you better believe they'll be monitoring your email/web traffic to collect anything they might need to get rid of you.
It's one thing to be ignorant and educate yourself, it's another to continue to be arrogant when you have nothing to contribute to a conversation.
The OP asked whether IT can read his/her web emails, the answer is no, for all practical purposes.
Getting around SSL sessions is not what the OP asked for. So don't get your panties in a bunch because I actually gave a valid answer.
How you can possibly say 'no' is completely ridiculous to me but go ahead and believe your SSL traffic / email is safe 'for all practical purposes' :roll:
Anyway... for those curious how something like this device works it's basically a glorified man in the middle attack. When a user makes an SSL request through a browser, it passes through a device like I mentioned above. The response from the server you are trying to create an SSL session with has a certificate which is by design made to identify the originating server as well as ensure secure communications between the client and the server. (The certificate wraps up the server's public key). This is the certificate that is stolen by the device in a man in the middle fashion. Before the device allows the certificate through to you, the end user, it unwraps the public key and repackages it in a spoofed certificate which is passed on to you as being legit. After this process, the device then creates a seperate tunnel to the server you're connecting to and now the device can read your plain text traffic on its way between the two points.
From there, the device can even route this information to another server for processing and searching for certain information or simply just stored in a database somewhere, the possibilities are endless.
But like I've said this entire time, you either have to work somewhere with sensitive information or be on someone's hitlist within the company. You'd be amazed at the cases that are built against employees by employers who want someone gone. As long as you're not doing anything completely suspicious or in violation of your company's policies such as going to websites you shouldn't be visiting, you're not going to get this sort of treatment for using webmail at work, but it is POSSIBLE and it's worth noting that it can easily be done if the need arrises which is the OP's original question, 'can IT people read this.' Irrefutabily the answer is yes.
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Unless you are in very high position within the company, I fail to see how they would spend huge amount of resources to decrypt SSL.
People paranoid in security tend to forget the most important factor in all of security: there is always a way, but at what cost?
Most people are not important enough to justify that cost. The human factor is the most important aspect of security, not technicality.
Like I said before, it depends on where you work and what sort of confidential information you have access to. You'd better believe they monitor a lot more than 'high ranking' people these days.
Everybody access Gmail, Hotmail or Yahoo at work. In a typical 10k person company, I fail to see how they have the resources to read everybody's email. They would have several dozen supercomputers to decrypt all that much traffic. Then, you would actually need people to read it.
No, there is no need for a supercomputer nor any person to read the emails.. scripts can easily be written to snag certain data which is then read by a human.
Educate yourself:
http://www.bluecoat.de/downloa...epapers/BCS_SSL_wp.pdf
The device looks like this:
http://www.bluecoat.com/downlo...SG_8100_shadow_med.jpg
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Furthermore, like I said it totally depends on the company you work for. Do you think for example that Mastercard would filter an employee's gmail for credit card numbers? Yes.
People that make less than 10 dollars an hour have access to countless credit card numbers at any given time during the day, these are certainly not high ranking positions in a company, these are the first level people you get when you call any CC company.
Like I said before, this is just one small example, think of what other protected company data is out there. Don't think you're safe because you're using SSL, it's not realistic anymore.
I briefly skimmed over the whitepaper, I may have missed it, but it looks like a device that governs SSL sessions rather than decrypt them?
I can't find the part where it says the contents are decrypted?
:roll::roll::roll:
Now you're just being obtuse, where did I ever say 'decrypt SSL'? If you notice the first time I even mentioned it:
Originally posted by: Platypus
They certainly can and certainly do depending on the company you work for. I work for a large financial corporation so our emails are constantly scrutinized for example.
Bottom line, don't do stuff at work you wouldn't want your boss reading... but they're not filtering every message you send from webmail services for example. It's quite simple for them to get around SSL encryption used by Gmail or other webmail providers and they can and will do it. If you're an unpopular person within the company or you do something that gets you written up you better believe they'll be monitoring your email/web traffic to collect anything they might need to get rid of you.
It's one thing to be ignorant and educate yourself, it's another to continue to be arrogant when you have nothing to contribute to a conversation.
The OP asked whether IT can read his/her web emails, the answer is no, for all practical purposes.
Getting around SSL sessions is not what the OP asked for. So don't get your panties in a bunch because I actually gave a valid answer.
How you can possibly say 'no' is completely ridiculous to me but go ahead and believe your SSL traffic / email is safe 'for all practical purposes' :roll:
Anyway... for those curious how something like this device works it's basically a glorified man in the middle attack. When a user makes an SSL request through a browser, it passes through a device like I mentioned above. The response from the server you are trying to create an SSL session with has a certificate which is by design made to identify the originating server as well as ensure secure communications between the client and the server. (The certificate wraps up the server's public key). This is the certificate that is stolen by the device in a man in the middle fashion. Before the device allows the certificate through to you, the end user, it unwraps the public key and repackages it in a spoofed certificate which is passed on to you as being legit. After this process, the device then creates a seperate tunnel to the server you're connecting to and now the device can read your plain text traffic on its way between the two points.
From there, the device can even route this information to another server for processing and searching for certain information or simply just stored in a database somewhere, the possibilities are endless.
But like I've said this entire time, you either have to work somewhere with sensitive information or be on someone's hitlist within the company. You'd be amazed at the cases that are built against employees by employers who want someone gone. As long as you're not doing anything completely suspicious or in violation of your company's policies such as going to websites you shouldn't be visiting, you're not going to get this sort of treatment for using webmail at work, but it is POSSIBLE and it's worth noting that it can easily be done if the need arrises which is the OP's original question, 'can IT people read this.' Irrefutabily the answer is yes.
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Unless you are in very high position within the company, I fail to see how they would spend huge amount of resources to decrypt SSL.
People paranoid in security tend to forget the most important factor in all of security: there is always a way, but at what cost?
Most people are not important enough to justify that cost. The human factor is the most important aspect of security, not technicality.
Like I said before, it depends on where you work and what sort of confidential information you have access to. You'd better believe they monitor a lot more than 'high ranking' people these days.
Everybody access Gmail, Hotmail or Yahoo at work. In a typical 10k person company, I fail to see how they have the resources to read everybody's email. They would have several dozen supercomputers to decrypt all that much traffic. Then, you would actually need people to read it.
No, there is no need for a supercomputer nor any person to read the emails.. scripts can easily be written to snag certain data which is then read by a human.
Educate yourself:
http://www.bluecoat.de/downloa...epapers/BCS_SSL_wp.pdf
The device looks like this:
http://www.bluecoat.com/downlo...SG_8100_shadow_med.jpg
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Furthermore, like I said it totally depends on the company you work for. Do you think for example that Mastercard would filter an employee's gmail for credit card numbers? Yes.
People that make less than 10 dollars an hour have access to countless credit card numbers at any given time during the day, these are certainly not high ranking positions in a company, these are the first level people you get when you call any CC company.
Like I said before, this is just one small example, think of what other protected company data is out there. Don't think you're safe because you're using SSL, it's not realistic anymore.
I briefly skimmed over the whitepaper, I may have missed it, but it looks like a device that governs SSL sessions rather than decrypt them?
I can't find the part where it says the contents are decrypted?
:roll::roll::roll:
Now you're just being obtuse, where did I ever say 'decrypt SSL'? If you notice the first time I even mentioned it:
Originally posted by: Platypus
They certainly can and certainly do depending on the company you work for. I work for a large financial corporation so our emails are constantly scrutinized for example.
Bottom line, don't do stuff at work you wouldn't want your boss reading... but they're not filtering every message you send from webmail services for example. It's quite simple for them to get around SSL encryption used by Gmail or other webmail providers and they can and will do it. If you're an unpopular person within the company or you do something that gets you written up you better believe they'll be monitoring your email/web traffic to collect anything they might need to get rid of you.
It's one thing to be ignorant and educate yourself, it's another to continue to be arrogant when you have nothing to contribute to a conversation.
The OP asked whether IT can read his/her web emails, the answer is no, for all practical purposes.
Getting around SSL sessions is not what the OP asked for. So don't get your panties in a bunch because I actually gave a valid answer.
How you can possibly say 'no' is completely ridiculous to me but go ahead and believe your SSL traffic / email is safe 'for all practical purposes' :roll:
Anyway... for those curious how something like this device works it's basically a glorified man in the middle attack. When a user makes an SSL request through a browser, it passes through a device like I mentioned above. The response from the server you are trying to create an SSL session with has a certificate which is by design made to identify the originating server as well as ensure secure communications between the client and the server. (The certificate wraps up the server's public key). This is the certificate that is stolen by the device in a man in the middle fashion. Before the device allows the certificate through to you, the end user, it unwraps the public key and repackages it in a spoofed certificate which is passed on to you as being legit. After this process, the device then creates a seperate tunnel to the server you're connecting to and now the device can read your plain text traffic on its way between the two points.
From there, the device can even route this information to another server for processing and searching for certain information or simply just stored in a database somewhere, the possibilities are endless.
But like I've said this entire time, you either have to work somewhere with sensitive information or be on someone's hitlist within the company. You'd be amazed at the cases that are built against employees by employers who want someone gone. As long as you're not doing anything completely suspicious or in violation of your company's policies such as going to websites you shouldn't be visiting, you're not going to get this sort of treatment for using webmail at work, but it is POSSIBLE and it's worth noting that it can easily be done if the need arrises which is the OP's original question, 'can IT people read this.' Irrefutabily the answer is yes.
Again, this falls into the category of "it can happen, but not likely".
How many companies actually implement such a device? How much resources does the company have to read the content? If there is a piece of software that scans for keywords, then no, it is not read by a human.
More likely than not, the answer is no to someone actually reading SSL content at the OP's company.
God, I swear IT security nazis always act like everything is within reach just for the fact of boasting about it. But when it comes down to practicality and likelihood, they simply ignore those factors.
To answer OP's question, technically they can read it, but much more likely than not, they won't be. Just like there is a chance that your car can be stolen every time you park it, but the likelihood is minimal.
Originally posted by: smack Down
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Unless you are in very high position within the company, I fail to see how they would spend huge amount of resources to decrypt SSL.
People paranoid in security tend to forget the most important factor in all of security: there is always a way, but at what cost?
Most people are not important enough to justify that cost. The human factor is the most important aspect of security, not technicality.
Like I said before, it depends on where you work and what sort of confidential information you have access to. You'd better believe they monitor a lot more than 'high ranking' people these days.
Everybody access Gmail, Hotmail or Yahoo at work. In a typical 10k person company, I fail to see how they have the resources to read everybody's email. They would have several dozen supercomputers to decrypt all that much traffic. Then, you would actually need people to read it.
No, there is no need for a supercomputer nor any person to read the emails.. scripts can easily be written to snag certain data which is then read by a human.
Educate yourself:
http://www.bluecoat.de/downloa...epapers/BCS_SSL_wp.pdf
The device looks like this:
http://www.bluecoat.com/downlo...SG_8100_shadow_med.jpg
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Furthermore, like I said it totally depends on the company you work for. Do you think for example that Mastercard would filter an employee's gmail for credit card numbers? Yes.
People that make less than 10 dollars an hour have access to countless credit card numbers at any given time during the day, these are certainly not high ranking positions in a company, these are the first level people you get when you call any CC company.
Like I said before, this is just one small example, think of what other protected company data is out there. Don't think you're safe because you're using SSL, it's not realistic anymore.
I briefly skimmed over the whitepaper, I may have missed it, but it looks like a device that governs SSL sessions rather than decrypt them?
I can't find the part where it says the contents are decrypted?
:roll::roll::roll:
Now you're just being obtuse, where did I ever say 'decrypt SSL'? If you notice the first time I even mentioned it:
Originally posted by: Platypus
They certainly can and certainly do depending on the company you work for. I work for a large financial corporation so our emails are constantly scrutinized for example.
Bottom line, don't do stuff at work you wouldn't want your boss reading... but they're not filtering every message you send from webmail services for example. It's quite simple for them to get around SSL encryption used by Gmail or other webmail providers and they can and will do it. If you're an unpopular person within the company or you do something that gets you written up you better believe they'll be monitoring your email/web traffic to collect anything they might need to get rid of you.
It's one thing to be ignorant and educate yourself, it's another to continue to be arrogant when you have nothing to contribute to a conversation.
The OP asked whether IT can read his/her web emails, the answer is no, for all practical purposes.
Getting around SSL sessions is not what the OP asked for. So don't get your panties in a bunch because I actually gave a valid answer.
How you can possibly say 'no' is completely ridiculous to me but go ahead and believe your SSL traffic / email is safe 'for all practical purposes' :roll:
Anyway... for those curious how something like this device works it's basically a glorified man in the middle attack. When a user makes an SSL request through a browser, it passes through a device like I mentioned above. The response from the server you are trying to create an SSL session with has a certificate which is by design made to identify the originating server as well as ensure secure communications between the client and the server. (The certificate wraps up the server's public key). This is the certificate that is stolen by the device in a man in the middle fashion. Before the device allows the certificate through to you, the end user, it unwraps the public key and repackages it in a spoofed certificate which is passed on to you as being legit. After this process, the device then creates a seperate tunnel to the server you're connecting to and now the device can read your plain text traffic on its way between the two points.
From there, the device can even route this information to another server for processing and searching for certain information or simply just stored in a database somewhere, the possibilities are endless.
But like I've said this entire time, you either have to work somewhere with sensitive information or be on someone's hitlist within the company. You'd be amazed at the cases that are built against employees by employers who want someone gone. As long as you're not doing anything completely suspicious or in violation of your company's policies such as going to websites you shouldn't be visiting, you're not going to get this sort of treatment for using webmail at work, but it is POSSIBLE and it's worth noting that it can easily be done if the need arrises which is the OP's original question, 'can IT people read this.' Irrefutabily the answer is yes.
Can't a user identify the spoofed certificate, because the man in the middle will not have the certificate authorities private key?
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Originally posted by: Platypus
Originally posted by: Imdmn04
Unless you are in very high position within the company, I fail to see how they would spend huge amount of resources to decrypt SSL.
People paranoid in security tend to forget the most important factor in all of security: there is always a way, but at what cost?
Most people are not important enough to justify that cost. The human factor is the most important aspect of security, not technicality.
Like I said before, it depends on where you work and what sort of confidential information you have access to. You'd better believe they monitor a lot more than 'high ranking' people these days.
Everybody access Gmail, Hotmail or Yahoo at work. In a typical 10k person company, I fail to see how they have the resources to read everybody's email. They would have several dozen supercomputers to decrypt all that much traffic. Then, you would actually need people to read it.
No, there is no need for a supercomputer nor any person to read the emails.. scripts can easily be written to snag certain data which is then read by a human.
Educate yourself:
http://www.bluecoat.de/downloa...epapers/BCS_SSL_wp.pdf
The device looks like this:
http://www.bluecoat.com/downlo...SG_8100_shadow_med.jpg
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Furthermore, like I said it totally depends on the company you work for. Do you think for example that Mastercard would filter an employee's gmail for credit card numbers? Yes.
People that make less than 10 dollars an hour have access to countless credit card numbers at any given time during the day, these are certainly not high ranking positions in a company, these are the first level people you get when you call any CC company.
Like I said before, this is just one small example, think of what other protected company data is out there. Don't think you're safe because you're using SSL, it's not realistic anymore.
I briefly skimmed over the whitepaper, I may have missed it, but it looks like a device that governs SSL sessions rather than decrypt them?
I can't find the part where it says the contents are decrypted?
:roll::roll::roll:
Now you're just being obtuse, where did I ever say 'decrypt SSL'? If you notice the first time I even mentioned it:
Originally posted by: Platypus
They certainly can and certainly do depending on the company you work for. I work for a large financial corporation so our emails are constantly scrutinized for example.
Bottom line, don't do stuff at work you wouldn't want your boss reading... but they're not filtering every message you send from webmail services for example. It's quite simple for them to get around SSL encryption used by Gmail or other webmail providers and they can and will do it. If you're an unpopular person within the company or you do something that gets you written up you better believe they'll be monitoring your email/web traffic to collect anything they might need to get rid of you.
It's one thing to be ignorant and educate yourself, it's another to continue to be arrogant when you have nothing to contribute to a conversation.
The OP asked whether IT can read his/her web emails, the answer is no, for all practical purposes.
Getting around SSL sessions is not what the OP asked for. So don't get your panties in a bunch because I actually gave a valid answer.
How you can possibly say 'no' is completely ridiculous to me but go ahead and believe your SSL traffic / email is safe 'for all practical purposes' :roll:
Anyway... for those curious how something like this device works it's basically a glorified man in the middle attack. When a user makes an SSL request through a browser, it passes through a device like I mentioned above. The response from the server you are trying to create an SSL session with has a certificate which is by design made to identify the originating server as well as ensure secure communications between the client and the server. (The certificate wraps up the server's public key). This is the certificate that is stolen by the device in a man in the middle fashion. Before the device allows the certificate through to you, the end user, it unwraps the public key and repackages it in a spoofed certificate which is passed on to you as being legit. After this process, the device then creates a seperate tunnel to the server you're connecting to and now the device can read your plain text traffic on its way between the two points.
From there, the device can even route this information to another server for processing and searching for certain information or simply just stored in a database somewhere, the possibilities are endless.
But like I've said this entire time, you either have to work somewhere with sensitive information or be on someone's hitlist within the company. You'd be amazed at the cases that are built against employees by employers who want someone gone. As long as you're not doing anything completely suspicious or in violation of your company's policies such as going to websites you shouldn't be visiting, you're not going to get this sort of treatment for using webmail at work, but it is POSSIBLE and it's worth noting that it can easily be done if the need arrises which is the OP's original question, 'can IT people read this.' Irrefutabily the answer is yes.
Again, this falls into the category of "it can happen, but not likely".
How many companies actually implement such a device? How much resources does the company have to read the content? If there is a piece of software that scans for keywords, then no, it is not read by a human.
More likely than not, the answer is no to someone actually reading SSL content at the OP's company.
God, I swear IT security nazis always act like everything is within reach just for the fact of boasting about it. But when it comes down to practicality and likelihood, they simply ignore those factors.
To answer OP's question, technically they can read it, but much more likely than not, they won't be. Just like there is a chance that your car can be stolen every time you park it, but the likelihood is minimal.
lol...
The OP asked for IT professionals to respond, so far there have been countless people to respond with real world experience, you can keep backpedaling all you want but we've answered his question 10 times over.. all you've done is grind your axe against people for giving real world answers. I even gave specific caveats but those don't support your grinding session so I guess you overlooked them? I didn't realize giving FACTUAL information was considered being a nazi?
You're not educated on the subject plain and simple, move on.
Originally posted by: spidey07
Yes. I used to do it for fun when I was bored.
Originally posted by: Descartes
As spidey said, they absolutely can. If it's a large company, they don't likely read random emails; however, companies with sensitive information (almost any company these days) might filter for specific content and forward them to a security group for analysis.
In short, I wouldn't worry about it. Just use discretion.
If you're asking for the reason I think you're asking, I wouldn't do it.Originally posted by: 3cho
if i access personal email at work, can the IT people read my outgoing and incoming mails?
Originally posted by: yllus
Anything coming in or out of your computer can theoretically be read. Even if it's encrypted.
I'm pretty sure that the probability of decrypting a single SSL certificate using a brute-force attack with today's technology is extremely low. Gmail's certificate is AES-256 (256-bit) and valid for just over a year.Originally posted by: Imdmn04
They would have several dozen supercomputers to decrypt all that much traffic.
The whitepaper reads more like a sales brochure than a technical document. I skimmed it once and was struck by how it glosses over the technical details and unsavory history with pretty figures (though appropriate ones) and sales-speak. Like you mention elsewhere, this is a man-in-the-middle attack - that SSL is designed to prevent.Originally posted by: Platypus
This is just one example of this technology in play, there are certainly other vendors out there. These devices are not expensive or hard to implement.
Originally posted by: Platypus
Yes, great point. However this can easily be embedded in your brower's trusted cert list by your company. Most corporations don't allow you to install your own software and force you to use a specific browser. If you have access to install your own software you can easily notice the attack and stop it.Originally posted by: smack Down
Can't a user identify the spoofed certificate, because the man in the middle will not have the certificate authorities private key?
Originally posted by: Flatscan
If anyone is paranoid enough to need any of this information, I would suggest avoiding accessing personal email at work in all situations. Get a data plan for your phone and/or read your email at home.
That is the explicit question asked by the OP. One may infer the related questions "by what methods?", "how likely?", and "should I worry?", which are all discussed in this thread. I think that a user examining certificate hash keys is paranoid.Originally posted by: spidey07
It's not a question of being paranoid. The question was can IT read your e-mail.
The answer is yes.
Originally posted by: spidey07
Yes. I used to do it for fun when I was bored.
Originally posted by: Imdmn04
This is what's wrong with the IT crowd today, they always think in terms of sheer technical possibility and never outside of the box, always pigeon-hole themselves into the boundaries of a technical solution, ignoring the boundaries of the bigger picture.
Ever heard of the saying that "sometimes you can see more when you are outside of it than while in it"? Everything is technically possible, but what about the resources required to implement them? Time, labor, money? The technical feasibility is only a small part of the global-level feasibility as a whole, including various human factors.
Again, if you actually think the possibility of OP's company reading his/her email is greater than not being read, then you are a classical example of the "IT thinker syndrome".
Originally posted by: yowolabi
Originally posted by: Imdmn04
This is what's wrong with the IT crowd today, they always think in terms of sheer technical possibility and never outside of the box, always pigeon-hole themselves into the boundaries of a technical solution, ignoring the boundaries of the bigger picture.
Ever heard of the saying that "sometimes you can see more when you are outside of it than while in it"? Everything is technically possible, but what about the resources required to implement them? Time, labor, money? The technical feasibility is only a small part of the global-level feasibility as a whole, including various human factors.
Again, if you actually think the possibility of OP's company reading his/her email is greater than not being read, then you are a classical example of the "IT thinker syndrome".
Actually what's wrong is you overcomplicated a simple question. Can IT read my incoming and outgoing email? The answer is indisputably "yes". Every one in IT who responded also said that it's not likely that they will, but that they definitely have the power to. Nice job arguing against the strawman of "if you actually think the possibility of OP's company reading his/her email is greater than not being read, then you are a classical example of the IT thinker syndrome". I don't see anyone here saying that IT is reading his mail, just that they can.
And with all this talk about SSL, you've failed to recognize that many companies take screenshots and use keyloggers and remote access tools, which don't have a huge cost in either time or money. They don't generally use them for everybody, but they can certainly use them on any individual they target. If someone is looking at your screen while you are, they can see both incoming and outgoing emails without caring if it's SSL protected or not.
Originally posted by: Imdmn04
Here is another "IT thinker", you bunch get so defensive on a technicality. You always have to exert that fact you can do anything, even if it take unrealistic amount of effort. Yes we know you are all mighty and powerful.
Screenshots is great and all. But who is gonna read those screenshots? Does that not take resources? Do you have a bunch of contractors in India reading your 10,000 empoyees' daily screenshots?
Again, the answer is unlikely. The op asked a question, I gave the most useful answer, whether it is semantically/techicanlly accurate to you IT people, I don't care.
Originally posted by: spidey07
Originally posted by: Imdmn04
Here is another "IT thinker", you bunch get so defensive on a technicality. You always have to exert that fact you can do anything, even if it take unrealistic amount of effort. Yes we know you are all mighty and powerful.
Screenshots is great and all. But who is gonna read those screenshots? Does that not take resources? Do you have a bunch of contractors in India reading your 10,000 empoyees' daily screenshots?
Again, the answer is unlikely. The op asked a question, I gave the most useful answer, whether it is semantically/techicanlly accurate to you IT people, I don't care.
you're just defensive because we read your e-mails. They were flagged for inappropriate content and are now being recorded/analyzed.