I noticed an intersting thing. Every time when I access a SSL enabled website like chase.com in my company. The SSL certificate is not from a well known CA like VeriSign but the IT department of my company. We use a dynamic proxy (I don't know how to explain but we don't need to set it up in IE->connection section for sure) for every internet access. I was guessing that the proxy changes the SSL certificate to our IT's own certificate. My guess: Every time a SSL connection start, the proxy take my HTTPS request, get the certificate (let's call it SSL_Chase, for both SSL and the symetric key for data encryption) from the website like chase, change the certificate to our own IT certificate (let's call it SSL_IT) and send it with the respose to me. I fill out the user name and passowrd, my machine using SSL_IT to encrype my data and our proxy get it and unencrype it. Then the proxy encrype it using SSL_Chase and send to chase. So chase think our proxy is me and I think our proxy is chase, except the IT certificate is not from chase (I think most users won't notice it). This means, IT department knows everything we send to chase and chase send to me!! I was wondering if my guess is possible, from the SSL connection algorithm point of view. Hope anybody can give me a hint.

Thanks a lot!

It probably goes like this: you have your IT department's certificate as a trusted root certificate on your computer. When you browse to an HTTPS address, the proxy generates a certificate for that site on the fly, signed by the certificate that's trusted on your site. You then communicate with your proxy, and the proxy communicates with the real site. Both "legs" of the travel are over SSL/TLS, so you're safe from a random man in the middle, but your IT department can theoretically view all the communication.