Is it possible that a proxy replace the SSL web certificate I installed on my server when browsing from outside my organisation ?

Posted on 2011-05-01
Last Modified: 2012-06-21
Hi !

I manage a webserver containing a secure section protected with a SSL web certificate. Everything work fine and when I browse the site from everywhere, I see my certificate by thawte.

However, when I try to acces the same site from a computer on the government network (Im not in USA) , it seems that their proxy replace my original SSL certificate with a custom one, the site still look secured but the certificate securing it is not the one from thawte. This is the case for all other site I know secure (, etc...)

Should I trust this ?
Does it mean they can have access to the date I send and receive ?
What king of system does that (for further reading)

Thank you
Question by:Rubicon2009
    LVL 15

    Accepted Solution

    Should I trust this ?
    It's up to you. Some businesses take their security very seriously and you may not have a choice.

    Does it mean they can have access to the date I send and receive ?
    Yes, they can see the plaintext data.

    What king of system does that (for further reading)
    There are proxies than will intercept https and continue to make an SSL connection on behalf of the client. Google for "proxy intercept https"
    LVL 26

    Assisted Solution

    by:Leon Fester
    You mentioned government, so anything is possible.

    It could be that they're running some anonymizing software that's redirecting your site via there own proxy, hence the SSL certificate being different.

    I'm guessing that you've somehow already testing that they're not maybe accessing some other site, other then yours?

    I'd suggest contacting your client/government liaison to confirm that the behavior seen on their side is in fact the expected behavior.
    LVL 33

    Assisted Solution

    by:Dave Howe
    That is a known issue, and sadly common.

    Certain proxy boxes perform what amounts to a man in the middle attack (the best known of these would be cisco's Ironport WSA, but there are others - if you want to see this in action yourself, download the free proxy "webscarab" which does this) - the given reason is so they can do deep packet analysis and caching on https traffic, but equally, they can and should add exceptions for banking and other "sensitive" sites that the admins shouldn't have access to.

    Bottom line though - if your cert is being replaced, *someone* is looking at your traffic, and may not have your best interests at heart.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
    In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now