I noticed an intersting thing. Every time when I access a SSL enabled website like chase.com in my company. The SSL certificate is not from a well known CA like VeriSign but the IT department of my company. We use a dynamic proxy (I don't know how to explain but we don't need to set it up in IE->connection section for sure) for every internet access. I was guessing that the proxy changes the SSL certificate to our IT's own certificate. My guess: Every time a SSL connection start, the proxy take my HTTPS request, get the certificate (let's call it SSL_Chase, for both SSL and the symetric key for data encryption) from the website like chase, change the certificate to our own IT certificate (let's call it SSL_IT) and send it with the respose to me. I fill out the user name and passowrd, my machine using SSL_IT to encrype my data and our proxy get it and unencrype it. Then the proxy encrype it using SSL_Chase and send to chase. So chase think our proxy is me and I think our proxy is chase, except the IT certificate is not from chase (I think most users won't notice it). This means, IT department knows everything we send to chase and chase send to me!! I was wondering if my guess is possible, from the SSL connection algorithm point of view. Hope anybody can give me a hint.
Thanks a lot!
The SSL proxy is transparent, which means it performs SSL encryption and decryption between the client and the server. The SSL proxy also reproduces server certificates so the server can make a secure (SSL) or unsecure (HTTP) connection to a web server.
To intercept SSL connections, the proxy server replaces the certificate from the original server with a new certificate signed by an internal private-hosted root CA. Your browser must trust the internal private-hosted root CA to validate the certificate returned by the proxy server.
Proxy certificates allow users to specify one or more custom certificate authority (CA) certificates used by platform components when making egress connections. The trustedCA field of the Proxy object is a reference to a config map that contains a user-provided trusted certificate authority (CA) bundle.
An SSL Certificate is usually issued to a domain name and not an IP address. So long as your web server is hosting the domain name for which your SSL Certificate has been issued, the IP address doesn't matter.
It probably goes like this: you have your IT department's certificate as a trusted root certificate on your computer. When you browse to an HTTPS address, the proxy generates a certificate for that site on the fly, signed by the certificate that's trusted by your browser. You then communicate with your proxy, and the proxy communicates with the real site. Both "legs" of the travel are over SSL/TLS, so you're safe from a random man in the middle, but your IT department can theoretically view all the communication.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With