Hacker News new | ask | show | jobs
by Spooky23 3808 days ago
Actually, the chill employer is the most dangerous.

Even if your employer is fine with personal use, courts will rule that it's all in scope during a discovery phase. I've been involved in litigation scenarios where people's personal email ended up being sifted through by the other litigant because opposing counsel convinced the judge that business was being conducted there, and there was evidence of frequent access on a corporate device.

All of your protections from a legal point of view are really defined by custody and scope of control. Data stored on your device in your home is the most protected. Data stored on your employer's PC or file server on your employer premises is the least protected.
1 comments
angdis 3808 days ago
OK, but what about email read/composed on my personal gmail account using a work computer? When you say "personal email" do you mean @company.com email-- or do you mean _any_ personal email as long as it is read/composed on a company machine?

Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?

link
bri3d 3808 days ago
> Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?

No, plenty of corporate firewalls provide HTTPS MITM by installing their own root certificate and making client machines trust it. HTTPS certificate pinning as it's implemented in most browsers specifically allows this behavior by not checking pinned certificates if the root certificate is in the computer's private keystore (vs. system keystore) because it's assumed the private keystore is full of only certificates the user or machine owner wants to always trust.

link
Spooky23 3808 days ago
Personal == Yours.

Any forensic analysis of a PC/Laptop or look at proxy logs will show your connectivity to an personal email account. In a discovery scenario, all that needs to be done is to present a pattern where personal mail was used for business in the company. (I guarantee that is happening somewhere)

It's one of these scenarios where it isn't a problem, until it is

link
angdis 3808 days ago
Thanks guys, that helps me to understand. This stuff is usually explained either as utterly vague blanket advice or in technical shorthand terms. I think it is really important for people who might barely even know what https is to understand how and why the security of it is limited.
link