I connect to the internet using my company's Wi-Fi and Tor. Can they still see the websites I visit?
-
21) Are you using a company computer? They could have some logging software installed 2) In which jurisdiction are you? – CodesInChaos Aug 12 '14 at 10:26
-
1In the future, please do more research before asking, and show us in the question what research you've done. Your question is covered well by other questions with the [tag:tor] tag. See, e.g., http://security.stackexchange.com/q/1057/971 and http://security.stackexchange.com/q/27845/971. – D.W. Aug 13 '14 at 18:01
-
3I propose to reopen this question. It specifically asks about using Tor at workplace and the answers nicely describe the problems specific to this environment, especially use of computers which are managed by somebody else. This important part of the question is not covered by any of the questions which are considered duplicates. – Steffen Ullrich Dec 12 '16 at 16:44
3 Answers
First:
- Don't use work computers for personal use, people!
Many network policies forbid personal use. Our policy states that personal use is not forbidden but is monitored. If you don't want to be monitored you need to use equipment you control.
TL;DR: If you don't want your parents to know you smoke, don't smoke in front of your parents.
Work Equipment
If you are using a work computer, yes, if they want to, they can monitor everything you do. All they have to do is install software on your computer (which is actually their computer) which logs all web browsing activity.
If I caught someone using Tor in my organisation (absent special permission) I would fire them on the spot, for violating half a dozen policies, including circumventing our protections against data exfiltration, required both by data protection law and our agreements with our customers.
Own equipment
If the equipment is owned and controlled by you, I am wondering why they have given you permission to connect it to the network.
If you don't have permission, then again, that is grounds for termination.
If you have permission
If you are using your own equipment, and you have permission to connect to the network, (for example the company supplies visitor Wi-Fi as a courtesy, and allows staff to use this) then you are in the same position as when you use a hotel, coffee shop, or fast-food restaurant Wi-Fi, and there is then nothing special you need to know.
So what should you do?
If you want to e.g. email your doctor about your cancer diagnosis without alerting your employer, you should do it from your smartphone, using the data connection.
- 3,697
- 1
- 18
- 24
-
1Note: I am explaining the *why* as well as the *how*: *why* the employer will want to do this, and *why* you should not try to circumvent their policies, and *how* to achieve what you want (privacy, presumably) without doing so. – Ben Aug 12 '14 at 16:18
-
1Really great point mentioning why circumvention is a huge liability for employers. – Joel B Aug 12 '14 at 16:19
-
"wondering why they have given you permission to connect it to the network" why do you feel this is a bad thing? Many companies are embracing BYOD. – simonzack Aug 13 '14 at 02:42
-
2+1 how stupid can people be. Use a smartphone with data service for your personal communications from work. – R.. GitHub STOP HELPING ICE Aug 13 '14 at 03:15
-
5
-
5This answer is a great reason why questions should be formulated neutrally. It's fine to advice someone of best practices but from a technical point of view half the answer is off-topic. – musiKk Aug 13 '14 at 08:44
-
1@simonzack I have never seen a place that is security conscious and allows BYOD with sensitive information on the network. BYOD is fine if you have a "public" network people connect to, but that network should not have any open access to sensitive customer information (to access sensitive info you go through a DPI firewall or use a secure app ect.). But that setup is the exact situation Ben was talking about in the *"If you have permission"* section where using Tor is fine as it is a "public" network. – Scott Chamberlain Aug 13 '14 at 18:02
Generally speaking No. Assuming:
You follow Tor's best practices
Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser.
so if it's not setup correctly things can still leak like DNS requests for example.
You are using a private computer (or at least one the company doesn't control). If they are admins on your computer they could install VNC or some logging software that will record your actions regardless of what software you use.
- 4,178
- 2
- 21
- 23
-
34The workplace can detect that he is using Tor though. Which might be worse than them knowing where he is browsing. – Taemyr Aug 12 '14 at 12:00
-
10@Taemyr "If only suspicious activity is private, privacy becomes suspicious." – Luc Aug 13 '14 at 08:54
-
3Your workplace has the right to restrict what software you use on work computers and the work network. Don't be surprised if you're told to stop using Tor entirely. – Blazemonger Aug 13 '14 at 15:27
-
-
1@Pacerier What you are doing is probably not so bad as what you could be doing. When all the employer sees is that you are using TOR he is left to guess. – Taemyr May 26 '15 at 02:39
-
@Taemyr, They need to be re-educated then. There's nothing wrong with keeping to tor for all connections. – Pacerier May 26 '15 at 04:26
-
@Pacerier At the very least it will bypass the companies data transfer limitations. – Taemyr May 26 '15 at 07:03
-
1@Taemyr, What do you mean? Tor doesn't bypass data transfer limits. The limits are still there. – Pacerier Jul 02 '15 at 09:03
-
@Pacerier Difficult to enforce when the system can not detect that you are connecting to e.g. dropbox. – Taemyr Jul 02 '15 at 09:10
-
1@Taemyr, It doesn't need to detect. It could just limit the bandwidth for the "total connection" regardless of where they connect to. – Pacerier Jul 04 '15 at 23:27
-
@Pacerier I am not referring to the amount of data that is transferred. I am referring to a corporations need to control what and how data is transferred. – Taemyr Jul 06 '15 at 07:14
You should be aware that Windows allows administrators to run scripts on any computer that connect to the local Windows domain, so if you login to the domain, the admin controls your computer.
The same is potentially true by just connecting to the network. This is the untrusted network threat model, which is almost impossible to protect against unless your computer sends 100% encrypted traffic - which it doesn't. One unencrypted auto-update request, from Microsoft or some other vendor, gives anyone in control of your network the ability to install any code they want on your computer.
- 1,313
- 9
- 10
-
2"just connecting to the network" won't allow them to run code on your computer. That's what we call an RCE and is considered a security vulnerability if software allows it. Sysadmins can only run scripts on Windows remotely because the system was connected to the active directory by an administrator earlier; you can't just run code on anyone connected to your WiFi network. That would be, well, either lots of fun or hell, depending on which end you're on. – Luc Aug 13 '14 at 09:00
-
1Untrusted network threat model allows it, because so much software updates over unencrypted channels. Even Microsoft updates were unencrypted until recently. For example 'http:// microsoft.com /update' gets switched by the proxy to whatever EXE you want, then you own the computer. – Jeff-Inventor ChromeOS Aug 13 '14 at 09:05
-
5@Jeff-InventorChromeOS actually Windows updates have to be signed by Microsoft for them to install. – kinokijuf Aug 13 '14 at 14:56
-
-
2http://www.symantec.com/connect/blogs/w32flamer-microsoft-windows-update-man-middle “Hijacking Windows Update is not trivial because updates must be signed by Microsoft.” – kinokijuf May 05 '15 at 08:49