[wonderthrowaway]

Should one also assume that corporate guest networks (such as the ones you might be asked to connect to when offering an on-site demo) are similarly MITM-compromised?

And by "assume", I mean to say, does anyone have knowledge that this occurs?

[pervasivemon]

Yes, you probably should assume it is. The good news is that it's easily detectable. Your browser should refuse to connect to the proxy-spoofed gmail because it likely hasn't received the visited-corporation's local-spoofing-is-ok cert.

You might be encouraged by the local team -- "don't worry, just do this so you can access gmail again." It's too bad that this activity trains people to think updating your certificate store (based on directions given to you by some site in your web browser) is something that you should do to get past an error message.

[wyldfire]

> does anyone have knowledge that this occurs

If you have any doubts, click on the padlock icon using your browser. On Chrome, you can click "Connection" then "Certificate Information". It will display who the certificate was "Issued By" and "Issued To". Well-meaning eavesdropping corporations will likely confess their [or the device's manufacturer name] identity here.

[partisan]

There is a good article in the current 2600 paper issue describing the issue of corporate MITM and why simply looking at the certs for the current site might night be enough.