Until about a year ago, I was working for one of the big tech giants. During my time there, I noticed that the IT department would do a MITM attack on any website that employees access. i.e. if you opened GMail and Facebook, and you'd click the lock button on Chrome, you'd see that the certificate is a custom certificate rather than GMail's or Facebook's certificates. They would install these certificates on all company laptops, so effectively they had the ability to read and modify any website you'd access.
So far, pretty standard Big Brother stuff, right? I'd imagine that many big corporates in the US do the same.
I mentioned this to a colleague at lunch, and he said there's no way they would MITM any banking or other financial activity, because that would be illegal. After lunch, I tried to access the bank I use for my personal account, Bank HaPoalim, and indeed he was right. The certificate was Bank HaPoalim's, so my communication with them was secure.
This leads me to believe that big corporates have a list of "banks we're not allowed to MITM". I don't know whether they all share the same list, or each have their own. They might have the same for health-related information.
Now I have a client who runs a site that handles finanical information. They want to get in that list, so their customers would be able to access them without their employers sniffing their traffic.
My question is: Where is that list? How does one request to be added to it?
