Ask Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?

New submitter Matt.Battey writes "I was recently on-site with a client and in the execution of my duties there, I needed to access web sites like Google Maps and my company's VPN. The VPN connection was rejected (which tends to be common, even though it's an HTTPS based VPN service). However, when I went to Google Maps I received a certificate error. It turns out that the client is intercepting all HTTPS traffic on the way out the door and re-issuing an internally generated certificate for the site. My client's employees don't notice because their computers all have the internal CA pushed out via Windows Group Policy & log-on scripts.

In essence, my client performs a Man-In-The-Middle attack on all of their employees, interrupting HTTPS communications via a network coordinated reverse-proxy with false certificate generation. My assumption is that the client logs all HTTPS traffic this way, capturing banking records, passwords, and similar data on their employees.

My question: How common is it for employers to perform MITM attacks on their own employees?"

Re:Not MITM

[Anonymous Coward]

Oh the end-user was undoubtedly notified of it, probably somewhere at the bottom of their contract, in tiny writing, after the section about the lavatory and in a sentence beginning with "Beware of the leopard".

Beware of the leopard^W lion^w mavericks

[tepples]

and in a sentence beginning with "Beware of the leopard".

I don't see why the contract has to declare the version of Apple BSD on which the trusted proxy runs. Otherwise, they'd need to get everyone to sign off on "Beware of the mavericks".

Re:Very Common

[cheesybagel]

Let me guess. Your corporation has an 'exception' to the professional conduct guidelines when management computers are involved.