It doesn't MITM anything. Do you see that as normal? Because I don't. We're adults here and I'm a tech guy, there's zero reason to control anything in my laptop.
In fact it's just a regular laptop that I fully control and installed from scratch, straight out of Apple's store. As all my company laptops have been.
And if it was company policy I would refuse indeed. I would probably not work there in the first place, huge red flag. If I really had to work there for very pressing reasons I would do zero personal browsing (which I don't do anyways).
Not even when I was an intern at random corpo my laptop was MITMed.
My work laptop has a CA from the organization installed and all HTTP(S) traffic is passed through a proxy server which filters all traffic and self-signs all domains with its' CA. It's relatively common for larger organizations. I've seen this in govt and banking.
To provide a European/Dutch perspective: I’m pretty sure that as a small employer myself, I am very much disallowed from using those mechanisms to actually inspect what employees are doing. Automated threat/virus scanning may be a legal gray zone, but monitoring-by-default is very much illegal, and there have been plenty of court cases about this. It is treated similarly to logging and reading all email, Slack messages, constantly screenrecording, or putting security cameras aimed at employees all day long. There may be exceptions for if specific fraud or abuse is suspected, but burden of proof is on the employer and just monitoring everyone is not justifiable even when working with sensitive data or goods.
So to echo a sister comment: while sadly it is common in some jurisdictions, it is definitely not normal.
I'm literally working for a local govt agency (via contracting company). I'm not sure that anything is being actively monitored so much as it's' blocking a number of sites (anything AI), upload sites, etc. As well as blocking POST actions to non-whitelisted sites/apps.
I've also seen similar configurations in Banking environments having done work for three major banking establishments over the years. The exception was when I was on a platform security team that managed access controls. Similarly at a couple of large airlines.
I know it's common, but I don't think it's "normal" even if it has been "normalized". I wouldn't subject myself to that. If my employer doesn't trust me to act like an adult I don't think it's the place for me.
I could maybe understand it for non-tech people (virus scanning yadda yadda) but for a tech person it's a nuisance at best.
So you want to double the infrastructure surface to provide a different route for access for developers which may be a tiny portion of users in an organization? That's privilege right there.
Edit: I'm not saying I like it this way... but that's what you get when working in a small org in a larger org in a govt office. When I worked in a security team for a bank, we actually were on a separate domain and network. I generally prefer to work untrusted, externally and rely on another team for production deployment workflows, data, etc.
I'm lucky to be a dev both by trade and passion. I like my job, it's cozy, and we're still scarce enough that my employer and I are in a business relationship as equals: I'm just a business selling my services to another business under common terms (which in my case include trusting each other).
Using an employer-issued computer for anything but work for that employer is foolish, for a multitude of legal and other reasons. Privacy is just one of them.
> So... do you refuse to use the laptop supplied by your employer?
For things other than work for my employer? Yes.
And work stuff doesn't touch my personal equipment, with the exception that I can connect to the company VPN from my personal laptop to remote to a work machine if I need to do DayJob work remote in an emergency when I don't have the company laptop with me.
> It does MITM between you and the HTTPS websites you browse.
My employer doesn't. Many don't.
Of course many do, but that is them controlling what happens on their equipment and they are usually up front about it. This is quite different to an ISP, shady WiFi operator, or other adversarial network node, inspecting and perhaps modifying what I look at behind my back.
This is still not that common but I used to work on a commercial web proxy that did exactly this. The only way it works is if the company pushes out a new root certificate via group policy (or something similar) so that the proxy can re-encrypt the data. Users can tell that this is being done by examining the certificate.
But this is mostly a waste of time, these days companies just install agents on each laptop to monitor activity. If you do not own the machine/network you are using then don’t visit sites hat you don’t want them to see.
It doesn't MITM anything. Do you see that as normal? Because I don't. We're adults here and I'm a tech guy, there's zero reason to control anything in my laptop.
In fact it's just a regular laptop that I fully control and installed from scratch, straight out of Apple's store. As all my company laptops have been.
And if it was company policy I would refuse indeed. I would probably not work there in the first place, huge red flag. If I really had to work there for very pressing reasons I would do zero personal browsing (which I don't do anyways).
Not even when I was an intern at random corpo my laptop was MITMed.
My work laptop has a CA from the organization installed and all HTTP(S) traffic is passed through a proxy server which filters all traffic and self-signs all domains with its' CA. It's relatively common for larger organizations. I've seen this in govt and banking.
To provide a European/Dutch perspective: I’m pretty sure that as a small employer myself, I am very much disallowed from using those mechanisms to actually inspect what employees are doing. Automated threat/virus scanning may be a legal gray zone, but monitoring-by-default is very much illegal, and there have been plenty of court cases about this. It is treated similarly to logging and reading all email, Slack messages, constantly screenrecording, or putting security cameras aimed at employees all day long. There may be exceptions for if specific fraud or abuse is suspected, but burden of proof is on the employer and just monitoring everyone is not justifiable even when working with sensitive data or goods.
So to echo a sister comment: while sadly it is common in some jurisdictions, it is definitely not normal.
I'm literally working for a local govt agency (via contracting company). I'm not sure that anything is being actively monitored so much as it's' blocking a number of sites (anything AI), upload sites, etc. As well as blocking POST actions to non-whitelisted sites/apps.
I've also seen similar configurations in Banking environments having done work for three major banking establishments over the years. The exception was when I was on a platform security team that managed access controls. Similarly at a couple of large airlines.
I know it's common, but I don't think it's "normal" even if it has been "normalized". I wouldn't subject myself to that. If my employer doesn't trust me to act like an adult I don't think it's the place for me.
I could maybe understand it for non-tech people (virus scanning yadda yadda) but for a tech person it's a nuisance at best.
So you want to double the infrastructure surface to provide a different route for access for developers which may be a tiny portion of users in an organization? That's privilege right there.
Edit: I'm not saying I like it this way... but that's what you get when working in a small org in a larger org in a govt office. When I worked in a security team for a bank, we actually were on a separate domain and network. I generally prefer to work untrusted, externally and rely on another team for production deployment workflows, data, etc.
Indeed I'm quite privileged.
I'm lucky to be a dev both by trade and passion. I like my job, it's cozy, and we're still scarce enough that my employer and I are in a business relationship as equals: I'm just a business selling my services to another business under common terms (which in my case include trusting each other).
Using an employer-issued computer for anything but work for that employer is foolish, for a multitude of legal and other reasons. Privacy is just one of them.
> So... do you refuse to use the laptop supplied by your employer?
For things other than work for my employer? Yes.
And work stuff doesn't touch my personal equipment, with the exception that I can connect to the company VPN from my personal laptop to remote to a work machine if I need to do DayJob work remote in an emergency when I don't have the company laptop with me.
> It does MITM between you and the HTTPS websites you browse.
My employer doesn't. Many don't.
Of course many do, but that is them controlling what happens on their equipment and they are usually up front about it. This is quite different to an ISP, shady WiFi operator, or other adversarial network node, inspecting and perhaps modifying what I look at behind my back.
This is still not that common but I used to work on a commercial web proxy that did exactly this. The only way it works is if the company pushes out a new root certificate via group policy (or something similar) so that the proxy can re-encrypt the data. Users can tell that this is being done by examining the certificate.
But this is mostly a waste of time, these days companies just install agents on each laptop to monitor activity. If you do not own the machine/network you are using then don’t visit sites hat you don’t want them to see.