The company I work for has a strict policy of no direct outbound connections from the corporate network. This is to prevent (or just make harder) for compromised machines from "phoning home".
This has the unfortunate side effect that all internet traffic must go through a proxy, they have to MiTM SSL traffic.
I just use my smartphone's data for any personal internet browsing.
Well you don't have to MITM SSL in order to proxy it, it can be done in other ways. They probably choose to do so in order to see the details of the request.
Correct, the firewall intercepts all traffic looking for potential compromises and blocks it. Given all these corporations getting hacked, such measures seem necessary.
Conclusion does not follow from premise. Once an attacker's code is running on machines that have access to sensitive data, you've already lost - there's no way to prevent it smuggling the data out in legitimate-looking requests. The right way is to stop the bad stuff getting in in the first place.
Not all attacks are perfect. It's true that an attacker can potentially do anything once in control of machines with sensitive data, but it doesn't mean that all hope is lost. If an intrusion detection system catches some x% of potential threats, it can easily be worth it.
The goal is to slow them down, put as many barriers as possible allowing higher chances of detecting them. Intercepting and blocking known "phone home" messages is one way to slow them down.
btw, I took a look at google's cert in my corp network and we are getting the real one from google, so my corp is not MiTM SSL traffic from some sites right now.
What does your company do if you have to access a TLS site which uses client certificates for authentication? AFAIK, client certificates don't work when there's a MITM on the TLS traffic, since the MITM proxy doesn't have a way to produce a client certificate that will be accepted by the server.
It's called defence in depth. If you can prevent 99% of malware infections and can prevent 75% of malware from phoning home, you have a 99.75% confidence (1 in 400) of not having a data leak due to a compromised machine. That's 4 times better than only preventing infections.
The line between what computing should be done on what device is blurry in both directions -- it's not just "people do personal computing on corporate devices". It'd be a bit strange to hear a boss tell me to never browse Amazon or Hacker News during lunch.
I think it's wise to assume corporate-owned devices are just that: 0wned by corporations.
I use my work laptop all the time for a variety of things, but I do so under the assumption that the company may be snooping on me. (No idea if they are or not.)
Exactly. It's a work machine, used for doing work. I don't do private/personal/secure things on it, as it's not my personal computer. Browsing HN or w/e isn't really a private activity, so I don't mind it being snooped.
This has the unfortunate side effect that all internet traffic must go through a proxy, they have to MiTM SSL traffic.
I just use my smartphone's data for any personal internet browsing.