[nine_k]

Didn't you notice that monitoring all internal traffic is desirable in most companies, and sometimes is a compliance requirement? Didn't you notice that company-wide root certs were being pushed by corporate OS / browser policies for years, if not decades?

I really fail to see a point here. Can you please mention a compelling case?

[est]

> Didn't you notice that monitoring all internal traffic is desirable in most companies

No I did not. Sorry. Just because it's popular does not mean it should be implemented.

Also isn't HTTP content makes the whole monitoring crap easier? Sigh.

There are many BYOD companies, it's uncivil to monitor other people system wide.

Lastly, encrypt with TLS then MITM decrypt is not carbon friendly. It's such a retarded waste of energy. Might just allow a directive in CSP to force downgrade everything to http. Problem solved.

[nine_k]

In every company in the US where I ever worked, my contract explicitly stated that all communications from company-provided devices belong to the company. I very much see the point. For private communication, use your own device and a guest network, a setup also seen everywhere. I haven't seen a BYOD setup that would allow whatever you please on the corp network. Did you? What industry it was? Genuinely curious; I believe a lot of things exist that I'm not aware of.

> isn't HTTP content makes the whole monitoring crap easier?

Not really. HTTPS remains encrypted where servers reject a downgrade, but an intruder can potentially force a downgrade in something misconfigured and snoop something important without having the root key.

> not carbon friendly

I suspect that switching off some of the endless lights in offices when sunlight more than suffices would have a seriously larger energy-saving impact.

[est]

> I haven't seen a BYOD setup that would allow whatever you please on the corp network.

You are right, there are rules, like the custom TLD is for authorized LAN users only. A public resolvable address is risky be cause the domain has a traceable ownership and identity, it relies on unnecessary external authorities.

For the migration I am considering deploy a company wide cert. But also I am frustrated because browsers shouldn't dictate the kind of Intranet structure we use.

If we still believe the Web should remain open, let the browsers behave more neutral.

[Aeolun]

Most (if not all) companies that push a system wide root certificate do not allow you to BYOD for the same reason they install that root certificate.

[est]

> companies that push a system wide root certificate

I wish those companies good luck, and I wish an open Web moves away from those companies as far as possible. If browser vendors wants to kiss corporate ass then I vote by uninstall them.