All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
SSL injection by corporate proxy
I noticed that recently at my workplace, my employer start to make use of SSL injection in such a way that when I am connecting to websites such as Wikipedia (via SSL connection), instead of the direct SSL certs for the Wikipedia site (which is issued by GlobalSign), I see the certs as being issued by the IT department of my employer as the issuing authority.
Personally I want the job 
but at the same time I am pretty uncomfortable that my employer get a hold of all my login details including info to my bank account and tax authorities.
As such I am just wondering if there is any way I can still force the browser to somehow use the original SSL issued by the websites I am visiting, without installing additional software nor use some very obvious hacking method that would result in me getting fired. We have to connect via the corporate firewall/proxy (i.e., no direct connection to the outside world).
Comments
Local man in the middle? That's hardcore. A VPN might get you out of it. Maybe just don't browse personal stuff on the company network.
I get it though. It's so hard to filter internet on a network with SSL becoming so common. It doesn't mean I support it, but I totally get it.
Never saw an enterprise doing it, but as @Jar said, it can be a way to filter internet on the network.
Btw, if anyone uses Avast, check for your certs too, change the cert also, although you can disable it on options.
Time for a new job?
Is there any web-based solution for VPN that would not be affected by SSL injection?
Try not to, and that might be the best solution unfortunately.
https://github.com/larsbrinkhoff/httptunnel
and more options at http://stackoverflow.com/questions/14080845/tunnel-any-kind-of-tcp-traffic-through-http-s
Many corporations use this.
Even if this was true, that doesn't make it right
Anyway... why don't you talk to your employer about it? Tell him your concerns.
Take a stand... leave if you have to. We live in a time where privacy will go lost forever if we don't take a stand.
Often times the traffic is just passed through an IDS or IPS and forgotten about.
It might also be done by the AV software, Bitdefender does it to scan SSL protected traffic by default.
I've seen places that use SNI to read the host name and figure out where it's going. And if it's allowed it just proxies the connection but never decrypts it.
I don't see how you could make the browser do anything about it, it seems like they terminated the connection from the server to you and started their own from your browser to the companies server.
You forget that a lot of companies have an issue with employees using the interwebz for anything other than work related things.
Also don't forget that this may be stated in OPs employee contract (if he has one) not much you can really so about it, except ask.
The company may even outsource IT and it may be standard practice for that IT company to do this if it tracks/supports blocking of sites..
VPN over DNS?
Honestly @spammy, you won't get any sympathy from me if you get caught and fired for breaching a contract. They have every right to monitor the network they administer just like you have the right to give them two weeks and go find another job.
Let me ask you this, why would you be doing your banking or any personal sensitive stuff while you're on the job to begin with?
From my sysadmin standpoint I'm against helping the OP out.
Do you plan to do actual work there or are you going to use it as a public library computer? Are you getting by any chance paid for producing value?
Lol what? A corporation/company doesn't need to use an SSL injection to monitor their employee's internet activity, nonetheless to siphon/steal all their employee's login details?
Huh? How are you going to do packet analysis over SSL without MiTMing or installing your certs in the employee computers?
Practice performed at my high school. I haven't really bothered to work out how to bypass it, I just kinda am forced to accept it. =\
The proxy seems to suck at handshaking with certain servers though. I cannot connect to any Cloudflare free SSL sites...
Monitor PC activity? Why not ?
This for example : http://www.refog.com/employee-monitoring/keyfeatures.html
Uhh... Yes they do, just because it's over SSL doesn't grant the end user an immunity over the rules of the network they are on. If you don't agree to the rules, don't take the job, it's that simple. The place of business is the ISP giving access to that specific person and they have a right to protect themselves or make rules anyway they damn well please.
Think IT - do you want automated solutions that the company buys along a with a support contract and you don't have to touch after setup, or homegrown scripts & manual grunt work?
Not sure where you all work, but in large companies, governments, public sector, schools, etc., SSL introspection is very common. Many of the major appliances/solutions that people buy for Internet filtering/proxying have this feature...sometimes it's a question of whether people purchase that license or turn it on.
Personally I'm sympathetic to the view that SSL introspection is inappropriate. Blocking by URL is fine but once you start decrypting stuff meant to be encrypted, you are potentially handling people's passwords, etc. Someday there will be a big lawsuit about this because I doubt there is any technical barrier from having some admin sweep logins into a text file for later user.
I realize there's the "they own the network" argument but I've always thought that view was bullshit. Stuff that causes network problems (streaming Netflix, infecting yourself with malware, etc.) can be fixed by many solutions. If you're doing something inappropriate (watching porn at your desk), then that's an HR problem.
Otherwise, welcome to 2015 where work time and life time get mixed together pretty thoroughly. I VPN from home at night when I need to do some work or fix an employer, and I don't get paid any more for that...my employer shouldn't be raising a stink if I check my mail while eating my lunch.
Just the same like my company did. It is using BlueCoat Firewall thus it is replacing all SSL Certificate with its own.
My solution is by using VPN with specific open ports.
Have you checked if they do it even for bank and tax authority websites? In some countries, that would be illegal. I have seen corporate proxies make exceptions for certain domains, mostly banks and government websites.
Why would you visit your personal bank on company time?
How's it bs? You either accept the job and agree to the terms or you don't and leave. You don't have to work for that company and that company doesn't need to keep you.
The bosses and IT department for an office are quite different from a regular ISP.
Hell, they can filter torrent traffic, other VPN sites, streaming services, etc... They filter it because (1) it protects the network and the employees and (2) you shouldn't be doing any of that on company time.
It's probably so the content filter can check it's appropriate and the IDS/AV can scan it for malware/viruses
The content filter could use SNI but that's not as accurate as MITM and scanning the content and if they want to scan it for Malware they will definitely need to MITM it.
At the end of the day if you're using their computer on their network in their time then there's not a lot you can do about it.
If you work at a decent sized company then there is a good chance they have a guest wireless for vendors or non-employees to use. That guest wireless is usually less secure and allows connecting to most major VPN protocols so that vendors can utilize them. You might want to check if the company you work for has this or you might want to start making friends with somebody who works on the networking or ITSEC team to get the inside scoop.
Companies are 100% right to lockdown their network to prevent employees from making mistakes (especially a mistake that could cost them millions of dollars or worse). It's up to the employees to be responsible and if that means connecting a laptop/netbook/tablet/smartphone to a less secure network so they don't pose any risk to their employer than so be it. Hell, I have a 4G hotspot I keep in my backpack that I put on the window sill next to my desk when I need it.
Also, I just checked and my employer does the same thing for HTTPS but not for RDP so maybe that's worth looking into?
This is always an option if they have a guest network, although it's probably best to use your own device rather than a corporate device
+1. Also, it's their network, their resources, and don't forget they're paying you to actually work and you should be able to do so with the restrictions they have.