As an employer I would prefer employees not to use the corporate network for personal email. The network exists for business use.
As an employee I prefer not to use the corporate network for truly personal email.
If I am the employer that responsibly monitors the traffic to and from our network, including TLS traffic, an employee that uses our network for personal use with a surveillance "tech" company service such as Google Mail, Facebook, etc. is putting her own privacy at risk. Because I can extract her cookies from the traffic, all she has to do is forget to log out once and I now have a "bearer token", i.e., a cookie, with no expiration,^1 that lets me access her account at any time in the future.
1 The type of cookie that lets users stay "logged in" indefinitely. A non-"tech" company with sufficient legitimate sources of revenue besides online ads may not use such cookies. For example, if an employee logs in to her personal bank account using the corporate network but forgets to log out, the bank website will log her out automatically, the cookies will expire.
>As an employer I would prefer employees not to use the corporate network for personal email. The network exists for business use.
And as an employee that actually exists in 2021, I'd tell you to get a clue.
>As an employee I prefer not to use the corporate network for truly personal email.
And that's your preference. If you think everyone shares that preference or even realizes the implications you're delusional.
>If I am the employer that responsibly monitors the traffic to and from our network, including TLS traffic, an employee that uses our network for personal use with a surveillance "tech" company service such as Google Mail, Facebook, etc. is putting her own privacy at risk.
No, you're putting them at risk by MITMing their traffic. There's absolutely nothing that forces you to do that. If you don't have separation between the network where humans live, and where The Business lives, that's what's irresponsible.
Probably you might need to re-read your employee agreement. Some of these policies are clearly stated and you signed up for them when you are employeed
Don't know why you are getting downvoted and people are getting emotional.
I have family members who work in compliance. Everything is fair game for surveillance. I know of someone who got fired for accidentally uploading his whatsapp chat history via work email (this is how chat history backup used to work) and they got fired from JPMorgan for having references to drugs.
You can choose not to work for companies like this (indeed I have always fully owned my machine at work) but you're just kidding yourself if you think bigco aren't monitoring everything you do.
I assume you're talking only about employees using corporate devices on the corporate network. If the employee can connect a personal device to the corporate network the employee will be safe from the MITM.
But anyways, my point is not whether or not you should use a personal device on a corporate network, my point is that if you do use a personal device on a corporate network you will be secure from MITMs.
Why shouldnt you pay. If its personal use why should the employer subsidise that.
My point is if you dont use a personal device on the corporate network paid for by your employer and instead use the personal device on the cellular network you pay for, then you will be "secure from MITMs".
I'm not saying the employer should subsidize it. Some employers might. If your employer provides that perk, it might make sense to use it. Similar to how if a restaurant provides free wifi it might make sense to use it.
I think the real way to be secure from MITMs is to use a device that you control the root CAs of. If you control the root CAs, you'll be safe no matter what network you're on. If you don't control the root CAs, you'll be vulnerable no matter what network you're on (but some networks will carry a higher likelihood of an attack).
Basic TLS is sufficient to stop your employer from MITM'ing your personal email session as long as you control what certificates your machine trust.
Certificate pinning is what protects the main sites (who use pinning) from an advanced attacker or a rogue government who are able get a proper CA to issue fake certificates.
Basic TLS is sufficient to stop your employer from MITM'ing your personal email session as long as you control what certificates your machine trust.
Which, on almost any employer-issued device on a large corporate network today, you won't.
Personal stuff goes on personal devices with personal connectivity and uses personal accounts with personal security. Work stuff goes on work devices with work connectivity and uses work accounts with work security. Contaminating either with the other is just a recipe for bad things happening, often for both the employer and the employee.
By contrast, I'm typing on a work computer right now. We deploy no special certificates to attempt to MITM traffic, nor will we ever.
I'm using a Chromebook, which allows me to run multiple users at the same time, each with their own profiles. Each user has their own encryption keys for their hard drive. We have no corporate network, no VPN, and instead rely on attestation for authorization.
I prefer to use this device for personal use because I know how safe it is.
Yes, but on the kind of network we're talking about, you probably won't be able to make an outbound HTTPS connection at all if you're not going via the required security infrastructure with an appropriate corporate-issued cert.
You're checking your personal email on your work computer? Your employer can see that. One way would be through screen recording. But even without screen recording, your employer can install its own certificates. Chrome at least ignores certificate pinning if there are custom installed local certificates.
If you're on a personal device (e.g. your personal phone) on a work wifi, you're secure whether or not certificate pinning is used.
So I don't really see any situation in which certificate pinning will help you. The purpose of certificate pinning is to protect against malicious regular root CAs. It's not to protect against your employer or anyone else who can install custom root CAs on your machine, because they could also install malware that steals data directly from Chrome.
>Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor.
