• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 392
  • Last Modified:

Is it possible that a proxy replace the SSL web certificate I installed on my server when browsing from outside my organisation ?

Hi !

I manage a webserver containing a secure section protected with a SSL web certificate. Everything work fine and when I browse the site from everywhere, I see my certificate by thawte.

However, when I try to acces the same site from a computer on the government network (Im not in USA) , it seems that their proxy replace my original SSL certificate with a custom one, the site still look secured but the certificate securing it is not the one from thawte. This is the case for all other site I know secure (www.royalbank.com, www.ingdirect.com etc...)

Should I trust this ?
Does it mean they can have access to the date I send and receive ?
What king of system does that (for further reading)

Thank you
0
Rubicon2009
Asked:
Rubicon2009
3 Solutions
 
FrabbleCommented:
Should I trust this ?
It's up to you. Some businesses take their security very seriously and you may not have a choice.

Does it mean they can have access to the date I send and receive ?
Yes, they can see the plaintext data.

What king of system does that (for further reading)
There are proxies than will intercept https and continue to make an SSL connection on behalf of the client. Google for "proxy intercept https"
0
 
Leon FesterCommented:
You mentioned government, so anything is possible.

It could be that they're running some anonymizing software that's redirecting your site via there own proxy, hence the SSL certificate being different.

I'm guessing that you've somehow already testing that they're not maybe accessing some other site, other then yours?

I'd suggest contacting your client/government liaison to confirm that the behavior seen on their side is in fact the expected behavior.
0
 
Dave HoweCommented:
That is a known issue, and sadly common.

Certain proxy boxes perform what amounts to a man in the middle attack (the best known of these would be cisco's Ironport WSA, but there are others - if you want to see this in action yourself, download the free proxy "webscarab" which does this) - the given reason is so they can do deep packet analysis and caching on https traffic, but equally, they can and should add exceptions for banking and other "sensitive" sites that the admins shouldn't have access to.

Bottom line though - if your cert is being replaced, *someone* is looking at your traffic, and may not have your best interests at heart.
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now