I will be logging into my bank account and my personal email accounts at work. Its not banned at work, but I just don't want them to save/log a copy of whatever I do with these services. Especially my passwords.
If the service uses a HTTPS connection, will my company be able to track/save/log my passwords, that I use for these services? what about the contents of the pages?
Again, rules in my company don't ban usage of my personal email account or internet banking services, but I just don't want them to know any important information about these. It is okay if they knew that I am using those, but they shouldn't get access to my passwords.
Can I safely use them (knowing my company can't save any of that data) if HTTPS is used?
P.S. I am really not a network guy and I don't know much about how these things work. So please don't give any RTFM replies.
Answer
Before answering: If a browser warns you a site is using poor encryption or supplying incorrect identity information, it's important to read the error, understand it, and think hard about whether you want to continue.
Short Answer: Yes, if you're using a trusted device
Long Answer:
If someone is monitoring your connection from another computer (somewhere between you and your bank) and you are using HTTPS, and they are using signed certificates with a suitably strong algorithm, then you are in the clear. (Unless they save the data for years and later read it after the algorithm is broken - but they'd likely be better off breaking into your house and stealing your stuff ;) ).
Chances are, if it's your bank, then they are using signed certificates with a suitably strong cipher. You can verify this by looking at the SSL information for the page, which should be displayed if you look at the page info, click on the Blue or Green name to the left in the address bar with Firefox 3.5, or click on the lock to the right in the address bar in IE8. Firefox will also display the encryption algorithm used if you select More Information after clicking on the coloured area.
If you don't trust the device you're using to connect (such as a computer that is not your own that could have been modified by others), then it's of greater concern. Now, your workplace is likely not going to do anything illegal like look at your banking information; but it is possible for SSL to be undermined if your system is compromised. It could be that your computer is configured to accept certificates signed by a proxy (inspection of the certificate or certificate pinning would thwart this). However, surveillance could be anywhere - a keylogger wouldn't even need to defeat SSL to capture your banking credentials, for instance. SSL makes it so you don't need to trust the connection between two trusted endpoints, but if the endpoint itself is untrusted, all bets are off.
No comments:
Post a Comment