Because someone else pays for the resources that you use unauthorizedly?
This may come as a shock to you, but you do not have a natural right to use resources that belong to someone else. Especially not if that some- one has taken steps to prevent you from using said resources.
By "control other people" you apparently mean "prevent other people from abusing company's resources".
I used another solution before using the tunnel. I used to go to a friend of mine working for another company and use his computer as they did not have any firewall limitations. This took me about 45 minutes in traveling, which I charged the company for. I charge $140h, you can do the math. What I am trying to say is that you should focus on security, not limit users since they will always find ways around your pathetic obstacle course. You can throw your flames at me, but that will not change the facts.
Fact: I would probably allow you to connect to your computer but I would also decode your SSL traffic and prevent any sensitive information from being transmitted, all the while I would be recording your actions so that you could be properly prosecuted.
Fact: Anyone taking your advice in this matter is an idiot.
This is no FUD, this is trivial. Just do a MITM attack at the server. You have no choice: Accept the changed certificate and the server can read everything, or reject it and your connection won't work.
Huh? Why? No one claimed that you're an idiot, just that your advice is idiotic.
More importantly, if the IT department cares, they'll install their own signed certificate on your PC, and when you attempt to establish an encrypted connection, they'll simply decrypt, log, and reencrypt.
Since your machine is configured to trust the certificate used during the reencryption phase, you won't even know it's happening unless you inspect the certificate (and much of that could be spoofed anyway, if an IT department was really worried about getting caught)
Well Imho any admin puting in webfiletsr are definity wrong, don'ät protect anythuing and makes life much harder. Usally this comes form the idea that poilices are bone hard and have to be technically enforced. An assumtion that actually don't work.
But may IT depetment have forgotten why they exists, whet the goal eher it, the bigger organisation the bigger risk for this. One of my main customers have these kinds of filters, i often get to use my proxy at home usin a ssh-tunnel to read relevent internet information. Out tools for security testring of the product often is blocked as hacking tools for one thing. (Yes ofcource the use us ssh and portforwaring to an external proxy is approved way of woring.)
One reason web filtering is at the workplace is protect others from seeing / reading things that someone else has on their screen they might find offensive. People should not be subjected to offensive things in their workplace. You look at what you want in the privacy of your own home.
Most people who visit this forum have been in industry for long enough to know what's right and wrong. The companies we all work for are NOT democracies. If we don't like the policies of the company we work for, we are free to take our talents else where.
Most companies I know do allow limited personal browsing.. that includes checking google mail or scanning thro' news articles. Forget about Nazi IT, what you are trying to do will not be allowed even if Gandhi were your IT admin.
Even fully untrusted Java Applets have permission to preselect a user-chosen certificate on a SSLSocketConnection object.
So, this is a plausible scenario: The IT department allows an installed webbrowser (not of his own choice) as well as the installed Java VM. They also didn't implement appropriate configuration of the Java VM to disallow all but whitelisted applets, but they may have limited it to never trust any applet.
He uses these to load his applet, either from removable media or downloaded from the Internet. It may be untrusted, but it's still allowed to first select its own certificate loaded from its resource and then create a SSLSocketConnection with this certificate.
This would allow him to detect the MITM attack.
But still he won't have any choice. Either it won't work or he will be sniffed.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.