[angdis]

OK, but what about email read/composed on my personal gmail account using a work computer? When you say "personal email" do you mean @company.com email-- or do you mean _any_ personal email as long as it is read/composed on a company machine?

Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?

[bri3d]

> Is it safe to assume that the only way that that (or any https content) can be captured is by keylogging or some kind of desktop capture?

No, plenty of corporate firewalls provide HTTPS MITM by installing their own root certificate and making client machines trust it. HTTPS certificate pinning as it's implemented in most browsers specifically allows this behavior by not checking pinned certificates if the root certificate is in the computer's private keystore (vs. system keystore) because it's assumed the private keystore is full of only certificates the user or machine owner wants to always trust.

[Spooky23]

Personal == Yours.

Any forensic analysis of a PC/Laptop or look at proxy logs will show your connectivity to an personal email account. In a discovery scenario, all that needs to be done is to present a pattern where personal mail was used for business in the company. (I guarantee that is happening somewhere)

It's one of these scenarios where it isn't a problem, until it is

[angdis]

Thanks guys, that helps me to understand. This stuff is usually explained either as utterly vague blanket advice or in technical shorthand terms. I think it is really important for people who might barely even know what https is to understand how and why the security of it is limited.