Hacker News new | ask | show | jobs
by lwheelock 2762 days ago
Not necessarily, it depends on the egress architecture. There are ways to do corporate monitoring that cannot be done by your ISP.

Web content filters (aka Proxies) in a transparent mode deployment that are not performing TLS interception would not be able to monitor these queries if wrapped in TLS.

However, an explicit mode deployment and all 80/443 traffic enforced by an egress firewall through the proxy that was performing TLS interception can still monitor this traffic. In fact, even if you’re not brokering TLS, the GET method described can still leak the query (but not response) unless your client uses tunneling (ie. CONNECT method).

ISPs can’t force you to use an explicit proxy, but corporations can.
1 comments
LinuxBender 2762 days ago
That is a challenge for us as well. Many of our partners use MitM proxies, but our privacy, compliance and legal teams will not approve the usage of them. We promote a work-life balance which means we allow people to use work resources for personal use. Culturally, that is great. It does create this conundrum however. The company does not want to be liable for intercepting personal and financial data that does not belong to us.
link
lwheelock 2762 days ago
I know your pain. This is a big issue especially with GDPR kicking in.

Security teams have competing directives.

Board & Investors: “Prevent customer data exfiltration”

Privacy / Legal: “Employee activity monitoring Violates our regulatory obligations”

HR: “BYOD is essential to talent retention, cultural comfort, and workforce optimization”

Employees: “I refuse to use VDI or Jump Hosts”

link
dingaling 2762 days ago
> We promote a work-life balance which means we allow people to use work resources for personal use.

Personally I think that is foolish and naive. Not just from privacy perspective but also liability and tax reasons.

Postmen don't get to use the vans for personal errands, factory workers aren't permitted to run the machines to make t-shirts for themselves. Why are IT resources considered differently?

If you want to permit WLB then tell employees that they are fee to use their personal smartphones and 4G plans.

link
LinuxBender 2762 days ago
I agree with you. It's just the cards I am dealt.
link