1

I have a company-owned laptop used for work. In the past I have used this company PC to login to websites with sensitive financial data. (Vanguard, PayPal, Mint, etc).

A few months ago I learned that my employer scans HTTPS traffic using a MITM intercept.

The HTTPS connection doesn't report any errors, as a custom certificate authority has been installed by my employer. This is most noticeable when examining certificate details, as my employer is listed as the verifying party on most sites1.

Certificate authority from my employer

Initially I hadn't realized my web traffic was being interpreted, as neither Google Chrome or Internet Explorer had reported any HTTPS authentication errors. Firefox was the only browser to report any security issues2.

While I don't expect my employer to intentionally snoop over my personal information I am a bit weary about using my company's network3 to access sensitive bank information.

Is it safe to login to financial websites from a work computer?

Notes:
1: Financial sites like Paypal list Symantec Corporation as the verifying CA, rather than my employer. Whether Symantec can be trusted is another question entirely...
2: After updating to Firefox 55.0.3, the browser no longer reports authentication errors on my work PC.
3: Our company wifi uses WPA-2 Enterprise with AES encryption.

Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
  • 4
    Short answer: no. Anyone with access to the proxy logs has access to the data you send – schroeder Sep 22 '17 at 16:14
  • Many companies will exclude banking sites from their MITM proxy for exactly this reason - the don't want the liability of snooping on your account. If you use a small bank, browse to a large bank site and see if it's direct. If it is, talk to your company about adding your financial institutions to the whitelist. – gowenfawr Sep 22 '17 at 16:51
  • @schroeder I’m not sure why this was marked as a duplicate. They seem like related questions, but not dupes – Stevoisiak Sep 22 '17 at 16:58
  • Based on Note #1, it looks like financial sites is excluded. If the bank shows some 3rd party CA, it's as secure as from home... – vidarlo Sep 22 '17 at 19:35
  • @StevenVascellaro is basically what you are asking, and the accepted answer answers your question directly – schroeder Sep 23 '17 at 11:21
  • You probably shouldn't use your work computer and network for anything else than for your actual job. Even if you resolved the technical aspects of privacy and security, they could still fire you because you simply didn't work. If I were you, I would do my banking and e-mails with my phone set as hotspot. Mobile carriers are known to intercept HTTP, but not anything else. And you could even set up a VPN. – user49760 Nov 18 '17 at 14:20

0 Answers0