Absolutely. Several enterprise-level proxies support re-encrypting the connections your browser makes using a corporate certification authority. Essentially the administration team can push out a certificate to your workstation via group policies, and add it to the list of trusted authorities. The proxy then has the private key corresponding to that certificate and generates a certificate for each hostname on the fly. Then when your browser connects the proxy uses HTTPS to connect to the destination, but then encrypts the actual tunnel to your browser using the aforementioned certificate and private key.
There's also open source and free proxies capable of this interception (which is just an MITM attack made easy by the administrators having access to the trusted certificate list on each workstation).
Edit: You can detect this by inspecting who has signed the certificate for each HTTPS site, but the name can even match existing certificates so you'd have to compare the fingerprint to a known good one of each certificate authority.
Generally not (see my edit below). HTTPS is encrypted end-to-end-- so your PC itself is doing encryption and decryption, as is the server computer on the other end. Everything that's on the wire is encrypted, so the proxy server computer is just seeing ciphertext flowing by.
Now, with that keylogger that the IT department installed on your PC... >smile<
Seriously, though, if someone else administers the machine you're using to access sensitive web sites they could have software or hardware installed on the PC itself to monitor you. I don't know how much you trust your employer, but I don't access sensitive web sites like banking from computers that are administered and/or owned by others.
Edit:
Gee-- I wish I'd gone ahead and typed that paragraph that I was thinking about adding re: a proxy that does an automated man-in-the-middle attack, 'cuz I guess there really are shady products out there that can do that! Craziness.
Apparently there are devices that can execute automated man-in-the-middle attacks against SSL. They require a CA certificate to be installed on the "victim" client computer since the proxy will, by definition, be minting fake certificates for every HTTPS site it tries to intercept communication to.
I'll stand by my statement above: Don't access sensitive web sites from comptuers you don't administer / own. In the case of one of those evil "man-in-the-middle" proxy servers that Luke mentioned in his post, your personal computer wouldn't have the necessary certificate authority certificate loaded for the proxy server's CA, and thus you'd get a warning in your browser that the web site had a certificate issued from an unknown CA.
The thought of such a product gives me a bad taste in my mouth. The only utility I can see in such a device is spying on users.
Absolutely. Several enterprise-level proxies support re-encrypting the connections your browser makes using a corporate certification authority. Essentially the administration team can push out a certificate to your workstation via group policies, and add it to the list of trusted authorities. The proxy then has the private key corresponding to that certificate and generates a certificate for each hostname on the fly. Then when your browser connects the proxy uses HTTPS to connect to the destination, but then encrypts the actual tunnel to your browser using the aforementioned certificate and private key.
There's also open source and free proxies capable of this interception (which is just an MITM attack made easy by the administrators having access to the trusted certificate list on each workstation).
Edit: You can detect this by inspecting who has signed the certificate for each HTTPS site, but the name can even match existing certificates so you'd have to compare the fingerprint to a known good one of each certificate authority.
Generally not (see my edit below). HTTPS is encrypted end-to-end-- so your PC itself is doing encryption and decryption, as is the server computer on the other end. Everything that's on the wire is encrypted, so the proxy server computer is just seeing ciphertext flowing by.
Now, with that keylogger that the IT department installed on your PC... >smile<
Seriously, though, if someone else administers the machine you're using to access sensitive web sites they could have software or hardware installed on the PC itself to monitor you. I don't know how much you trust your employer, but I don't access sensitive web sites like banking from computers that are administered and/or owned by others.
Edit:
Gee-- I wish I'd gone ahead and typed that paragraph that I was thinking about adding re: a proxy that does an automated man-in-the-middle attack, 'cuz I guess there really are shady products out there that can do that! Craziness.
Apparently there are devices that can execute automated man-in-the-middle attacks against SSL. They require a CA certificate to be installed on the "victim" client computer since the proxy will, by definition, be minting fake certificates for every HTTPS site it tries to intercept communication to.
I'll stand by my statement above: Don't access sensitive web sites from comptuers you don't administer / own. In the case of one of those evil "man-in-the-middle" proxy servers that Luke mentioned in his post, your personal computer wouldn't have the necessary certificate authority certificate loaded for the proxy server's CA, and thus you'd get a warning in your browser that the web site had a certificate issued from an unknown CA.
The thought of such a product gives me a bad taste in my mouth. The only utility I can see in such a device is spying on users.