Is it Possible to Intercept GMails?

[funnywan]

Is it technically possible/feasable to intercept Gmails even when
running your session under HTTPS?

The reason I ask is that there have been rumours at my company (small
company BTW) that management have the capability (if they wanted to do
it) to intercept/read our Gmails.

Never mind that this would be a total invasion of privacy but we have
all been debating at work whether this is possible or not, etc. so i
thought i would try to settle it once and for all - with your help of
course.

So...

1) Is this even possible?

2) If it is, how easy/difficult would it be to do (i.e. would it
require major resources and infrastructure, etc.) ?

3) What would the technical limitations of this be?

e.g. Would they need packet sniffers? Would they need tons of hard
drive space to store all internet traffic etc.? Would someone have to
physically be intercepting the traffic in real-time as it is being
sent/received?

Please help to finalise the Gmail interception debate - you will
receive nothing for your input but hey, at least it's friday today.

Thanks.

[Don]

First off, the computer and the network that connects it to the internet
belongs to the employer so the employer may access anything and monitor
anything that the computer is used for. Second, you are at work so anything
you do at work (except go to the bathroom and take an authorized break in
the designated break area) is subject to scrutiny by the employer.

Some jurisdictions have passed legislation that may grant or deny additional
rights to either the employer and/or the employee. You need to talk to your
IT department or your Personnel Manager about the employers
computer/network/IT policy.

That said, YES, it is possible for the employer to get to your emails
before/after/while you do. And it is very easy to do. The employee would
never even know it is happening. Everything you mention could/would be
used. It does no good for you to delete a message since it is in the server
backup.

Gmail and any other email provider can also easily
intercept/monitor/read/delete your email. Gmail DOES.... they use a
computer to read your email to find key words to use for selecting context
related advertising for you to view. All providers can scan all email or
maybe just randomly looking for violations of TOS. AOL does this for
sure.... they recently reported a person sending/receiving child pornography
to local authorities.

Big Brother has the capability and the legal authority, thanks to President
Bush, to scan ALL email anytime and anyplace they want to. Typically,
without a search warrant. In theory this is for Homeland Security purposes
only, but look for it to be seriously abused by Ashcroft and company.
Remember, Big Brother has a MUCH broader definition of "Homeland Security"
than you do.

Various laws require many companies to keep records of various network
activity, including email, that takes place on or through the company IT
system. Companies may keep 100% backups on a continuing basis (i.e. full
back up every night with incremental backups several times during the day).
If you send or receive an email on ANY computer, anywhere in the world, it
is a good bet that there are copies of that email in multiple backups of
multiple servers around the world.

The ease of interception and the capture in server backups is why many
companies have very strict rules on what can be said in an email. It is
also the source of the popularity of encryption software and digital
signing.

Don

[Jason W.]

On 11/4/05, funnywan <funn...@gmail.com> wrote:
>
> Is it technically possible/feasable to intercept Gmails even when
> running your session under HTTPS?

Since it's HTTPS, they can't intercept your emails as they come thru
the connection between your browser and gmail's severs. That's what
HTTPS does. They will know that you are on Gmail since they can tell
you're connecting to their servers. They'll know how long you're on
there, based on that info, but they can't read the connection stream
like they could if you used HTTP.

But they CAN do things like screen grabs, keyboard logging, browser
history/cache sniffing, and the ilk. So if you view it on your
monitor or type it, they could see it.

None of this applies to email provided by them - they have full access to that.

--
HTH, YMMV, HANW :)

Jason

EL-M Computer Help List - Computer help for listowners and list moderators
http://groups-beta.google.com/group/EL-M-ComputerHelp/about

Documentation - the worst part of programming

[Fuzzy Logic]

I work in cryptography as a career, so I think I can help answer
these. Answers inline.

On 11/4/05, funnywan <funn...@gmail.com> wrote:

> 1) Is this even possible?

Not really, no. If they tried a man-in-the-middle attack, you would
know because the certificate wouldn't verify, and your browser would
give you a warning.

> 2) If it is, how easy/difficult would it be to do (i.e. would it
> require major resources and infrastructure, etc.) ?

Not applicable.

> 3) What would the technical limitations of this be?

Not applicable.

> e.g. Would they need packet sniffers? Would they need tons of hard
> drive space to store all internet traffic etc.? Would someone have to
> physically be intercepting the traffic in real-time as it is being
> sent/received?

Not applicable.

[Fuzzy Logic]

Uh, lots of points to make in this one. Inline.

On 11/4/05, Don <dsw3...@gmail.com> wrote:

> First off, the computer and the network that connects it to the internet
> belongs to the employer so the employer may access anything and monitor
> anything that the computer is used for. Second, you are at work so anything
> you do at work (except go to the bathroom and take an authorized break in
> the designated break area) is subject to scrutiny by the employer.

True, but not relevant to the question.

> Some jurisdictions have passed legislation that may grant or deny additional
> rights to either the employer and/or the employee. You need to talk to your
> IT department or your Personnel Manager about the employers
> computer/network/IT policy.

Still not relevant.

> That said, YES, it is possible for the employer to get to your emails
> before/after/while you do. And it is very easy to do. The employee would
> never even know it is happening. Everything you mention could/would be
> used. It does no good for you to delete a message since it is in the server
> backup.

Explain? They would need to modify your browser to do this. MitM
attacks wouldn't work, so sniffing would be pointless. And, by
default, browsers don't cache secure pages (HTTPS). So, your point
doesn't hold water.

> Gmail and any other email provider can also easily
> intercept/monitor/read/delete your email. Gmail DOES.... they use a
> computer to read your email to find key words to use for selecting context
> related advertising for you to view. All providers can scan all email or
> maybe just randomly looking for violations of TOS. AOL does this for
> sure.... they recently reported a person sending/receiving child pornography
> to local authorities.

Yeah, but we're not talking about Gmail reading the mail. We're
talking about their employer.

> Big Brother has the capability and the legal authority, thanks to President
> Bush, to scan ALL email anytime and anyplace they want to. Typically,
> without a search warrant. In theory this is for Homeland Security purposes
> only, but look for it to be seriously abused by Ashcroft and company.
> Remember, Big Brother has a MUCH broader definition of "Homeland Security"
> than you do.

Yeah, but that's the point of secure webpages. If you're using
unencrypted SMTP (with other providers), it is easily snooped. If
you're using SSL or TLS (HTTPS, POP3 w/ security, SMTP w/ security),
this is no longer feasible.

> Various laws require many companies to keep records of various network
> activity, including email, that takes place on or through the company IT
> system.

Right, but the conversation is encrypted during transit so what would
be the point?

> Companies may keep 100% backups on a continuing basis (i.e. full
> back up every night with incremental backups several times during the day).
> If you send or receive an email on ANY computer, anywhere in the world, it
> is a good bet that there are copies of that email in multiple backups of
> multiple servers around the world.

Except that you are incorrect. As I said before, HTTPS pages are
generally _not_ cached, so even if I back up my machine, the data
won't be there.

> The ease of interception and the capture in server backups is why many
> companies have very strict rules on what can be said in an email. It is
> also the source of the popularity of encryption software and digital
> signing.

Right, which is why it is nice that Gmail uses encryption.

Fuzzy

[funnywan]

Thanks very much to all of you (Don, Jason W. and Fuzzy Logic) for your
responses - much appreciated.

Don: I appreciate your input but since i work in the IT Industry and
DON'T live in the U.S. i would have preferred technical explanations to
back-up your statements.

Jason W and Fuzzy Logic: Very informative, thanks.

A) Just to clarify for the sake of completeness, in other words what
you're saying is that as long as i log into my Gmail using HTTPS and
make sure the session remians under HTTPS I have nothing to worry about
and no-one would be able to de-crypt and read any mails i
send/receive??

B) They would be able to intercept mails but since the traffic is
encrypted over SSL they wouldn't be able to read them??

Thanks again everyone,
FunnyWan

[Rachel Garrett]

FunnyWan, this isn't really in answer to your question, but just a
point you may want to consider. Even if the company can't read your
Gmail, they can still most likely tell that you've visited the Gmail
website. Even if they can't read your e-mail, they can still tell that
you were checking your e-mail. Does your company have a policy stating
that company computers are not to be used for personal use?

--Rachel

[funnywan]

Our company has a policy that we may use our PC's for personal use but
within reason. I'm not worried about anyone knowing that I've been
logged on to Gmail. Just concerned that they would be able to read my
sent/received Gmails.

[Fuzzy Logic]

That is exactly what I am saying. The idea of HTTPS is that only the
two endpoints will be able to read the page in question within a
reasonable time. While they could snag the page on the wire, as it
were, they would not be able to decrypt it, and so it would be
useless.

Fuzzy

[Jason W.]

On 11/7/05, funnywan <funn...@gmail.com> wrote:

> A) Just to clarify for the sake of completeness, in other words what
> you're saying is that as long as i log into my Gmail using HTTPS and
> make sure the session remians under HTTPS I have nothing to worry about
> and no-one would be able to de-crypt and read any mails i
> send/receive??

They can't read the HTTPS connection, right. If they montior such
things and attempt to read the connection as it goes in & out of the
office, they'll just see gobbleygook.

> B) They would be able to intercept mails but since the traffic is
> encrypted over SSL they wouldn't be able to read them??

If they have software on your PC that does screen grabs every 30
seconds, they sure could. Some places do that. It'd be hard to tell if
they do or not without asking them.

Once it's on your browser screen, there's nothing to keep Windows or
another program from grabbing that image and saving it somewhere.

[funnywan]

Thanks everyone. That pretty much answers my questions.

[Anonomousse]

Im curious about the same thing...
just departed from a company that has an interest in me even after departure

[Zack (Doc)]

If you read the whole thread that you replied to, instead of just the introductory message, you'd have seen several answers to those questions, but to summarize...

Anything you do while on the employers network (not since, but while you were there) is subject to monitoring by them.  Period.  Since it is HTTPS, they would only see that you were accessing it, but not exactly what you were doing... EXCEPT...

Fuzzy Logic pointed out that it would take a man-in-the-middle attack to decrypt the connection, which "your browser would warn you about", but that's not entirely true.  SSL Interceptors, which many companies now use, can do such an attack, and if they just re-signed the connection, and used a certificate that your computer trusts (and since they own the computer, they designate the trust), your browser would NOT warn you.  You could see that they're signing it by looking at the certificate, but most people don't bother to read the certificates, and just look for the pretty green lock; which you still see.

Bottom line, don't do anything on your company's network/hardware that you don't want them to know about.

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gmail-users...@googlegroups.com.
To post to this group, send email to gmail...@googlegroups.com.
Visit this group at http://groups.google.com/group/gmail-users.
For more options, visit https://groups.google.com/d/optout.