[kelnos]

Presumably you don't trust the CA that signed the certificate on the server at the company you're visiting. As long as you heed the certificate error and don't visits the site, you're fine.

[thayne]

Now suppose you are a contractor who did some work for company A, then went to do some work for company B, and still have some cookies set from A's internal site.

[hsbauauvhabzb]

So we’re back to trusting the user?

[0l]

Use HSTS, browsers are specifically designed not to let users bypass these.

[hsbauauvhabzb]

Hsts forces encryption, it has no impact on certificate invalidity, at least to my knowledge.

[0l]

Visit your .internal site -> website uses TLS cert signed by root CA that is preloaded on your device. Succeeds and HSTS flag is set.

Visit other .internal site -> uses TLS cert NOT signed by root CA that is preloaded on your device -> certificate error, and cannot be bypassed due to HSTS.