[dekz]

So the proxy server acts as a forced man in the middle? This has to be one of the most atrocious things I have ever experienced. Forcing a man in the middle is insane especially in a large company where there may well be a lack in competency.

HTTPS shouldn't magically appear to 'work' again, considering it is completely broken when a forced mitm is introduced.

[tptacek]

Are you arguing with me, or with reality? I can't tell, because the system I described is how corporate proxies work pretty much everywhere.

If you want privacy against the administrators of your employer, don't use your employer's network to do things that need privacy.

[dekz]

I don't see how my comment may be interpreted as starting an argument. I was simply replying on your comment on HTTPS just 'work'ing once you ignore the man in the middle attack. It's not privacy from an employer that is the underlying issue. It is the practice itself which should be frowned upon. People didn't spend their time trying to come up with the ability to have secure communications from point A to point B just to have someone come in and break it.

The problem isn't necessarily what the employer sees, it's what the might employer keep around.

[tptacek]

Enterprises are making a policy decision to take advantage of the Internet security model from the border of their network outward, but to take responsibility for IP security inside their network. That is a reasonable policy decision.

But even if reasonable people could disagree about that policy decision: the reality is that people operating large corporate networks require the ability to control SSL/TLS sessions; for instance, there are whole industry verticals where accessing a private email server not controlled by your employer is grounds for automatic termination, because regulations require them to track and archive email messages.

Finally, and I'm repeating myself: I am describing the reality of most Fortune-500 enterprise networks. In most corporate networks, you cannot simply talk from your desktop out to the Internet; you are required to use a proxy. You're also almost certainly on an 10/8 IP address.

[codeka]

This is far more common than you might expect. You just need to push you're company's internal CA to all your client computers, and bam, MITM for everything!

[rondon1]

Yes enterprise customers want to decrypt and inspect all traffic, for legitimate and sometimes sketchy reasons.

[rurounijones]

HIPAA requires it as far as I know, and I am sure other regulatory frameworks probably do.

[tptacek]

HIPAA does not require traffic monitoring.