Hi,

I would be grateful if someone could give me some advice.
Not wanting my ISP or employer to see confidential emails and surfing,
I have set up a service with companies providing secure web browsing
(Idzap, the cloak, etc). So my web browser is using https using
certificates from the company offering this service.
I have read about possibilities of intercepting the https with "man in
the middle" or maybe other techniques.
How difficult it is for an ISP or my company’s network
administrator to do that. Translated in money, how much would they
need to spend to do that.
Are there any better solutions, maybe a VPN service, Kerberos setup or
anything else possible.
Of course the above assumes that the secure service provider is
trusted on which I would be keen to find any of their commonly known
policies. (maybe suggestions)

Many thanks

George

In article <f86efd4e.0401301646.3729e776@posting.google.com>, lgst036
@hotmail.com says...

other than the money involved in paying a good sysadmin his/her wages,
it can be done for free. keep a watch on your certificates, have your
client authenticate the cert and question any cert change. reverify with
the issuing agency and make sure signatures are correct.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

George,

To prevent your ISP, what Flag said is correct. For your Company, they
could have access to everything you do in minutes. Look at spectorsoft.com
and their spector professional edition. I'm using it on PC for several
clients. And have caught folks doing things they should not. Best to keep
your private stuff off of other peoples PC's.


--
Regards,

Lawrence A. Rodis
President
Strategic Resource Consulting Group L.L.C.
702-221-6274
lrodis@strategicresource.com
www.strategicresource.com

"George" <lgst036@hotmail.com> wrote in message
news:f86efd4e.0401301646.3729e776@posting.google.c om...

"Lawrence Rodis" said in
news:k2ESb.3993$F23.1146@newsread2.news.pas.earthl ink.net:
But since the connection is SSL secured, why would the user care that you
could sniff out their encrypted HTTP datastream? It'll look like a bunch of
garbage to you, the sniffer. You can still see *where* they are navigating
but you cannot see *what* they are sending and receiving.

The only way that spectorsoft.com could be determining what the user is
sending (but not what they are receiving) is to install a client on that
user's computer. That is, the product would have to install a keylogger.
That appears to be what the product does since it states, "..., Spector Pro
contains seven integrated tools that record: ..., keystrokes typed, ...".

You had better make sure that you have permission from each department to do
this sniffing and keylogging. Our department, for example, sometimes has
highly sensitive data between us and a partner that no one else in the
company should see (and anyone else seeing the data is a severe breach in
security). We even have to be in a separate section of the building, all
papers must be discarded in our wastebaskets and not outside our locked room
(because it gets handled separately and securely from the other trash),
recording devices are definitely taboo, and so on. If we caught anyone in
IS or elsewhere in our company sniffing our communications, even if they
were encrypted, they'd get laid off or, at least, suspended. Just like
there are laws prohibited unauthorized wire tapping, there are always
internal policies and politics that dictate if anyone can go sniffing just
because they are curious. You need to establish well written and understood
policies and make sure all departments are educated (and you, too, about
what you are NOT allowed to do regarding communications from some
departments).

As far as the keylogger client, that wouldn't survive very long on my hosts.
By going through an intermediary but external anonymizer service using SSL,
all you could see is that I was connecting to that service but not where I
was actually connecting to past that service. If e-mails are sensitive then
the sender should be using encryption. You can see in your mail server logs
(and don't need SpectorSoft) where the e-mail went but not its content. Of
course, if anyone from IS installed anything on our alpha lab hosts, they
would get their ass royally kicked for corrupting our known configurations
used for testing.


--
__________________________________________________ __________
*** Post replies to newsgroup. E-mail is not accepted. ***
__________________________________________________ __________

Vanguard,


The original poster asked how hard would it be for his company to monitor
his usage. The answer is very easily.
If I put that software on your system it would capture what you are doing
with Keystrokes and displays captures. No encryption would matter. Could IT
do it in your organization? With proper approval, yes. Would IT review the
data? doubtful. Your boss or some other appropriate party? yes.


--
Regards,

Lawrence A. Rodis
President
Strategic Resource Consulting Group L.L.C.
702-221-6274
lrodis@strategicresource.com
www.strategicresource.com

"*Vanguard*" <no-email@bogus.nix> wrote in message
news:KLadneHypudOzYbd4p2dnA@comcast.com...

Thanks. I missed to say that I have total control of the PC I am using
at work to the point that I am setting the DNS etc. I mention that as
an illustration of possible sniffing.
Would that change the answers?

Regards

George

IF they happen to install something like Spector, it can be set up to run in
"stealth mode" where you wouldn't see any of the program files on you
machine ...I'm sure there would be something SOMEWHERE (registry, etc), but
you would have to know what you are looking for, etc.

In addition to keystrokes, it also takes screenshots, or basically a little
snapshot of exactly what is on your desktop at any given time (it can be set
to take one every couple seconds, to every couple minutes, and so on). It
also copies every email, whether you are using the companies email server,
or your own account on the side.

Now with that being said, is your company using something like this? Your IT
person would likely know. Spectorsoft and similar companies usually
encourage the employers to tell their employees they are being monitored,
but whether the employer actually does that is up to the employer. Also,
depending on the laws of your state, some are really flexible with privacy,
some are more careful. However, when you are in your company's building and
using their machine, you don't have much rights as to privacy.

I don't know if that answered your question any more or not. Since this is
going to several newgroups, and the only one I check out of those is the vpn
group, you may get more information from one of the other newgroups.




"George" <lgst036@hotmail.com> wrote in message
news:f86efd4e.0401310303.2993ea23@posting.google.c om...