[eli]

I don't think it is intended to be undetected. Plenty of large organizations use security appliances that MITM all traffic. Though I'd prefer they do it by pushing their own BigCo certificate to the boxes they own than relying on a cert that exists in all copies of Windows.

[jessaustin]

They want people to be able to BYOD and not know what's going on. (I'm sure that most employees were informed in some opaque memo, but that only goes so far.) "Our shared network works best with Microsoft phones." Hey, this is a new marketing effort for all those crap Lumias they're trying to unload!

[MichaelGG]

So you're positing that Microsoft is going to intentionally destroy their TLS-CA verification system so any company can compromise any Windows device in the name of BYOD, without explicit action from the user?

[jessaustin]

As we've been told many times, "it ain't a bug it's a feature". Sure, you and I don't want to tell the DLP guys our bank passwords, but most people already don't care. It's not feasible anymore to just block TLS, and supporting client proxy config is so tedious.

[MichaelGG]

Think about how it'd have to work. By including a "compromised" cert that any company can get use, and that every Windows customer trusts, the CA system would be entirely destroyed. Microsoft wouldn't do that - it makes zero sense. Cisco might have something that having a CA for makes easier, but including a MITM cert in every Windows install is not close to reality.

[e12e]

I'm not so sure. Before the "encryption fad" most traffic would go unencrypted to a Cisco device (router, switch, proxy, vpn concentrator (the inside of the network)) anyway.

As far as I know, The US has almost non-existent privacy laws when it comes to what corporations are allowed to do/demand to do to their employees through contracts wrt. traffic on company equipment.

Forcefully and silently intercepting traffic on employee networks would AFAIK be illegal in most of Europe.