Security and TLS proxies

At Camilion we take security seriously, which is why we engage in all reasonable precautions to ensure the software you get is the software we design.

Amongst other things we sign our code digitally and, the topic of this post, we make sure that your end users are talking to our servers and not to something else.

Here we will explain to you how that works and how, in certain environments, that can lead to issues. Should you have these issues, read the section What to do if I have a TLS-proxy?

User to Server Communication
- Transport Layer Security (TLS)
- Chain of Trust
  - What are TLS proxies?
  - When are TLS proxies used?
What to do if I have a TLS-proxy?
Conclusion

User to Server Communication

Whenever you open our webpage, install our software or sign in to access your trials or licenses, your device must contact our servers.

Given how the internet works, the data you send to us (e.g. your email to sign in) and the data we send to you (e.g. our Sheeets for Autodesk® Revit®) passes through countless devices outside of both your and our control. Such devices can be routers, firewalls, proxies, etc.

Transport Layer Security (TLS)

Our goal is to ensure your Personal Information is safe, and to be be reasonably sure that nothing strange is going on on the network.

To do this, the data in that travels through the network is encrypted using Transport Layer Security (TLS), this ensures that, for practical purposes, the connection looks like this:

 ______    Email    __________
| Your | --------> | Camilion |
|Device|  Program  | Servers  |
|______| <-------- |__________|

And that none of the devices that forward the information between you and us are able to read or modify the information.

Chain of Trust

We introduced the concept of the Chain of Trust when we talked about Code Signing Certificates, in this case it works very similarly.

Your computer has pre-installed a set of Root Certification Authorities, that sign / trust Intermediate Authorities, which in turn end up signing or trusting end certificates like ours.

That is, a Chain of Trust can be built.

Camilion Code Signing Chain of Trust 2022

What are TLS proxies?

However in certain environments, so-called TLS proxies are used which install custom Root Certification Authorities on your devices and intercept all communications.

 ______    Email      _______   Email??    __________
| Your | ----------> |  TLS  | ---------> | Camilion |
|Device|  Program??  | Proxy |  Program   | Servers  |
|______| <---------- |_______| <--------- |__________|
                        /\
               good? __/  \___ Can see/modify your data
               evil?           Can modify our software

Notice that this scenario breaks the warranties of privacy and integrity; that is, we cannot be sure that your Personal Information is secure and we can also not ensure that you are getting the software as we designed it.

Which is why our software detects TLS-proxies and refuses to work with them.

When are TLS proxies used?

There are many reasons, the most common one is to limit or filter what users or employees can do on the network or with corporate equipment.

However, and it is not entirely uncommon, in some cases there is indeed a case of Mensch in the middle attack which can be targeting you or your company for many reasons including: phishing, ransomware, corporate espionage, etc.

We call this Mensch in the middle attack, Mensch means “human” in German. Traditionally “MITM” stands for “Man in the middle attack”.

What to do if I have a TLS-proxy?

Now that you know what a TLS-proxy is and why our software will refuse to work in such a scenario, let’s look into what you should do next.

First, get in touch with your IT services, feel free to send them this link and have them confirm that it is them who are running such a TLS-proxy; if it is not the case, have them scan your equipment for malware.

Once that is cleared up, your IT services should get in touch with us so we can figure out a way to have our software work for you.

There are basically two options:

Preferred one: they add an exception to our servers, so the connection is direct between your devices and us. For this, IT will usually need the involved hostnames: apps.camilion.eu and camilion.eu.
Last-resort: they send us the public parts of their custom Root Certificates and we add an exception.

Either way, the pros and cons are best discussed in a case-by-case basis with your IT services.

Conclusion

As you can see, we are committed to keeping you and your data secure. Sometimes there are policies that go against each other, but with the beauty of collaboration we can make things work out.

Not many of you will run into these issues, and if you do, let’s find a solution together.

For the rest of you, we hope you have learned some more and it helps you stay safe on the internet!