Can anybody see my https traffic?
In a nutshell: Yes!
- Is https broken? No
- Is https safe? Yes... as far as we know its limitations
- Can my employer see my https traffic? Probably
- Can my government see my https traffic? Probably
- Can my telco see my https traffic? Probably not
A little bit of background on https security
The security of https is based on two pillars (three, indeed, but only two are relevant here):
- Encryption (can a third party see my traffic)
- Authentication (is the other party who it says it is)
Nowadays encryption algorithms are good (so far, that we know... 😎)
Authentication is based on Trust, and this is where things start to be less than perfect: there is no point in encrypting traffic if anybody can get in the middle and say "hey! I am the guy you are speaking to", while you think you are speaking to somebody else safely, right? (See Wikipedia: man-in-the-middle attack)
So here the issue: there is no way we can really tell we are speaking to the remote server (i.e our bank?), unless somebody we rely on certifies it is. But, who is "Somebody we rely on"?
All browsers have a list of Root Certificate Authorities. This is a list of entities that have somehow certified to the browser software developer (Microsoft, Google, ...) that they are trustable and hence allowed to sign the certificates that everbody else is using (your bank, your company, this site...).
This is no fool's game: the requirements to be in that list are tight, and we should assume these can indeed be trusted. But...
Your browser's Root Certificate Authority list
Have you ever looked at the list? You might get surprised by the diversity of entities that can sign certificates. The issue is not that they can sign certiicates, but that they can sign any certificate, and your browser will trust it.
Moreover, any concerns are not necessarily due to the list that comes with the browser, but to what you or your company may have added afterwards.
What happens if one of these entities can get in the middle of your traffic, and sign any certificate for any request you are doing?
Easy: it will be able to decrypt all your traffic, and you will not (or will barely, indeed), notice. Your company's firewall or proxy is likely to be doing this!
All modern firewalls and proxies implement this functionality, and it has been around for years, at least since I patented this https filtering technology back in 2004.
Preventing MITM attacks
Of course you cannot start deleting certificates in the list without knowing what you are doing, so not much you can do, apart form being aware. Some hints anyway here:
- Do not, ever, under any circumstances, install a Root Certificate you do not Trust. Not even if they promise you a million bitcoins. Don't do it. If you think it can be trusted, think it again. It is not in the list for some reason.
- You can look at the little lock icon next to the URL. It says it is safe, but look into the certificate (more than on the certificate, on who is signing it). You will very easily see it is not who you think it was.
- Use client certificate authentication whenever possible. This technology cannot be used both ways: your browser's Root CA list does not apply to the server you are connecting to! Anyway, if your client certificate is used only for authentication, and not for all traffic, you are sold 😉
So just be aware: your https traffic can be, and is likely to be, in a corporate network, filtered and scanned. This is good: it allows your company's proxy to filter malicious pages just at the border. Same as they can see, and filter, non https traffic. But don't be naive enough as to think this is just not possible.