How do I encrypt my http traffic so my company can't read it? Oh, did I mention SSL is no longer an option since they intend to decrypt all SSL traffic that passes through their proxies?
My company places a lot of importance on information security, which is good. Internet access, which isn't universally available in the company, is limited to ports 80 and 443. I've recently learned that they intend to upgrade our current proxies to one that can decrypt, and allow them to inspect the contents of, SSL communications. There are a number of companies
who provide such products
. Since we're allowed by policy to access our private web-based e-mail, and this isn't going to change, I'm not comfortable with this at all. I have a Linux box on the outside, and on that I have CGIProxy
and GNU HTTP-Tunnel
. (Our primary hardware vendor puts their updates on an FTP site, this is how I am able to get them). These are both run over https, but I'm hoping to find a method that will allow all requests to be encrypted before they leave the browser so they can't be decrypted. Does anyone know of such a solution?
I'm thinking of a proxy that runs on my machine. That proxy will create an encrypted tunnel between itself and my external https server going through the company's proxies. My browser will be pointed at the local proxy, thus encrypting all traffic before it even gets to the proxy. If I use a sufficiently high enough level of encryption, their decrypter would be useless. Oh, and the company proxies require authentication, so it would have to support that as well. And, the proxies will only proxy http and https traffic. I've tried the ones that try to get ssh traffic out over 80, they don't work.
For those preparing to give me a lecture, you can spare me the ethics of doing this. I'm fully aware it would be a violation of policy. I don't care. Considering they're not even telling people they're doing it, I find this kind of behavior reprehensible.