{"id":2094,"date":"2022-02-28T08:00:00","date_gmt":"2022-02-28T07:00:00","guid":{"rendered":"https:\/\/camilion.dms3labs.cat\/2022\/02\/28\/security-and-tls-proxies\/"},"modified":"2024-02-14T17:01:45","modified_gmt":"2024-02-14T16:01:45","slug":"security-and-tls-proxies","status":"publish","type":"post","link":"https:\/\/camilion.eu\/es\/2022\/02\/28\/security-and-tls-proxies\/","title":{"rendered":"Security and TLS proxies"},"content":{"rendered":"<p>At <a href=\"https:\/\/camilion.eu\/es\/\">Camilion<\/a> we take security seriously, which is why we engage in<br \/>\nall reasonable precautions to ensure the software you get is the software we<br \/>\ndesign.<\/p>\n<p>Amongst other things we <a href=\"https:\/\/camilion.eu\/en\/blog\/2022-security-code-certificates\/\">sign our code digitally<\/a> and, the topic<br \/>\nof this post, we make sure that your end users are talking to our servers and<br \/>\nnot to something else.<\/p>\n<p>Here we will explain to you how that works and how, in certain environments,<br \/>\nthat can lead to issues.<br \/>\nShould you have these issues, read the section<br \/>\n<a href=\"https:\/\/camilion.eu\/en\/blog\/2022-security-tls-proxies\/#what-to-do-if-i-have-a-tls-proxy\">What to do if I have a TLS-proxy?<\/a><\/p>\n<div class=\"toc\">\n<ul>\n<li><a href=\"#user-to-server-communication\">User to Server Communication<\/a>\n<ul>\n<li><a href=\"#transport-layer-security-tls\">Transport Layer Security (TLS)<\/a><\/li>\n<li><a href=\"#chain-of-trust\">Chain of Trust<\/a>\n<ul>\n<li><a href=\"#what-are-tls-proxies\">What are TLS proxies?<\/a><\/li>\n<li><a href=\"#when-are-tls-proxies-used\">When are TLS proxies used?<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#what-to-do-if-i-have-a-tls-proxy\">What to do if I have a TLS-proxy?<\/a><\/li>\n<li><a href=\"#conclusion\">Conclusion<\/a><\/li>\n<\/ul>\n<\/div>\n<h2 id=\"user-to-server-communication\">User to Server Communication<\/h2>\n<p>Whenever you open our webpage, install our software or sign in to access your<br \/>\ntrials or licenses, your device must contact our servers.<\/p>\n<p>Given how the internet works, the data you send to us (e.g. your email to sign<br \/>\nin) and the data we send to you (e.g. our <a href=\"https:\/\/camilion.eu\/en\/apps\/Sheeets\/\">Sheeets<\/a> for Autodesk\u00ae<br \/>\nRevit\u00ae) passes through countless devices outside of both your and our control.<br \/>\nSuch devices can be routers, firewalls, proxies, etc.<\/p>\n<h3 id=\"transport-layer-security-tls\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\" target=\"_blank\" rel=\"noopener\">Transport Layer Security<\/a> (TLS)<\/h3>\n<p>Our goal is to ensure your Personal Information is safe, and to be be reasonably<br \/>\nsure that nothing strange is going on on the network.<\/p>\n<p>To do this, the data in that travels through the network is encrypted using<br \/>\n<a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\" target=\"_blank\" rel=\"noopener\">Transport Layer Security<\/a> (<strong>TLS<\/strong>), this ensures that,<br \/>\nfor practical purposes, the connection looks like this:<\/p>\n<pre class=\"codehilite\"><code> ______    Email    __________\n| Your | --------&gt; | Camilion |\n|Device|  Program  | Servers  |\n|______| &lt;-------- |__________|\n<\/code><\/pre>\n<p>And that none of the devices that forward the information between you and us<br \/>\nare able to read or modify the information.<\/p>\n<h3 id=\"chain-of-trust\">Chain of Trust<\/h3>\n<p>We introduced the concept of the Chain of Trust when we talked about<br \/>\n<a href=\"https:\/\/camilion.eu\/en\/blog\/2022-security-code-certificates\/#what-is-a-code-signing-certificate\">Code Signing Certificates<\/a>, in this case it works very<br \/>\nsimilarly.<\/p>\n<p>Your computer has pre-installed a set of Root Certification Authorities, that<br \/>\nsign \/ trust Intermediate Authorities, which in turn end up signing or trusting<br \/>\nend certificates like ours.<\/p>\n<p>That is, a Chain of Trust can be built.<\/p>\n<p><img decoding=\"async\" alt=\"Camilion Code Signing Chain of Trust 2022\" src=\"https:\/\/camilion.eu\/wp-content\/uploads\/2024\/02\/camilion2022chain.png\" title=\"\"><\/p>\n<h4 id=\"what-are-tls-proxies\">What are TLS proxies?<\/h4>\n<p>However in certain environments, so-called TLS proxies are used which install<br \/>\ncustom Root Certification Authorities on your devices and intercept all<br \/>\ncommunications.<\/p>\n<pre class=\"codehilite\"><code> ______    Email      _______   Email??    __________\n| Your | ----------&gt; |  TLS  | ---------&gt; | Camilion |\n|Device|  Program??  | Proxy |  Program   | Servers  |\n|______| &lt;---------- |_______| &lt;--------- |__________|\n                        \/\n               good? __\/  ___ Can see\/modify your data\n               evil?           Can modify our software\n<\/code><\/pre>\n<p>Notice that this scenario breaks the warranties of privacy and integrity;<br \/>\nthat is, we cannot be sure that your Personal Information is secure and we can<br \/>\nalso not ensure that you are getting the software as we designed it.<\/p>\n<p>Which is why <strong>our software detects TLS-proxies and refuses to work<\/strong> with them.<\/p>\n<h4 id=\"when-are-tls-proxies-used\">When are TLS proxies used?<\/h4>\n<p>There are many reasons, the most common one is to limit or filter what<br \/>\nusers or employees can do on the network or with corporate equipment.<\/p>\n<p>However, and it is not entirely uncommon, in some cases there is indeed a case<br \/>\nof <a href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\" target=\"_blank\" rel=\"noopener\"><em>Mensch<\/em> in the middle attack<\/a> which can be targeting you or your<br \/>\ncompany for many reasons including: phishing, ransomware, corporate espionage,<br \/>\netc.<\/p>\n<blockquote>\n<p>We call this <em>Mensch<\/em> in the middle attack, <em>Mensch<\/em> means &ldquo;human&rdquo; in German.<br \/>\nTraditionally &ldquo;MITM&rdquo; stands for &ldquo;Man in the middle attack&rdquo;.<\/p>\n<\/blockquote>\n<h2 id=\"what-to-do-if-i-have-a-tls-proxy\">What to do if I have a TLS-proxy?<\/h2>\n<p>Now that you know what a TLS-proxy is and why our software will refuse to work<br \/>\nin such a scenario, let&rsquo;s look into what you should do next.<\/p>\n<p>First, get in touch with your IT services, feel free to send them this link and<br \/>\nhave them confirm that it is them who are running such a TLS-proxy; if it is not<br \/>\nthe case, have them scan your equipment for malware.<\/p>\n<p>Once that is cleared up, your IT services should get in touch with us so we can<br \/>\nfigure out a way to have our software work for you.<\/p>\n<p>There are basically two options:<\/p>\n<ul>\n<li><strong>Preferred one<\/strong>: they add an exception to our servers, so the connection is direct between your devices and us. For this, IT will usually need the involved hostnames: <code>apps.camilion.eu<\/code> and <code>camilion.eu<\/code>.<\/li>\n<li><strong>Last-resort<\/strong>: they send us the public parts of their custom Root Certificates and we add an exception.<\/li>\n<\/ul>\n<p>Either way, the pros and cons are best discussed in a case-by-case basis with<br \/>\nyour IT services.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>As you can see, we are committed to keeping you and your data secure.<br \/>\nSometimes there are policies that go against each other, but with the beauty of<br \/>\ncollaboration we can make things work out.<\/p>\n<p>Not many of you will run into these issues, and if you do, let&rsquo;s find a<br \/>\nsolution together.<\/p>\n<p>For the rest of you, we hope you have learned some more and it helps you stay<br \/>\nsafe on the internet!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At <a href=\"https:\/\/camilion.eu\">Camilion<\/a> we take security seriously, which is why we engage in<br \/>\nall reasonable precautions to ensure the software you get is the software we<br \/>\ndesign.<\/p>\n<p>Amongst other things we <a href=\"https:\/\/camilion.eu\/en\/blog\/2022-security-code-certificates\/\">sign our code digitally<\/a> and, the topic<br \/>\nof this post, we make sure that your end users are talking to our servers and<br \/>\nnot to something else.<\/p>\n<p>Here we will explain to you how that works and how, in certain environments,<br \/>\nthat can lead to issues.<br \/>\nShould you have these issues, read the section<br \/>\n<a href=\"https:\/\/camilion.eu\/en\/blog\/2022-security-tls-proxies\/#what-to-do-if-i-have-a-tls-proxy\">What to do if I have a TLS-proxy?<\/a><\/p>\n","protected":false},"author":1,"featured_media":1222,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[192],"tags":[],"dipi_cpt_category":[],"class_list":["post-2094","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howto-es"],"acf":[],"_links":{"self":[{"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/posts\/2094","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/comments?post=2094"}],"version-history":[{"count":3,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/posts\/2094\/revisions"}],"predecessor-version":[{"id":2158,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/posts\/2094\/revisions\/2158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/media\/1222"}],"wp:attachment":[{"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/media?parent=2094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/categories?post=2094"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/tags?post=2094"},{"taxonomy":"dipi_cpt_category","embeddable":true,"href":"https:\/\/camilion.eu\/es\/wp-json\/wp\/v2\/dipi_cpt_category?post=2094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}