If you are using Firefox you might want to have a look at https://addons.mozilla.org/de/firefox/addon/perspectives/, which is a quite easy to use addon to detect a MitM attack which could otherwise stay undetected. This way is probably more practical than always checking the certs against a list of fingerprints you collected from a trustworthy source (e.g. at home) by hand.

Note that even if your browser does not have a special certificate of your company in it's list of trusted root certificates and the system is not compromised otherwise, there could be a MitM. How? At least one CA (Trustwave) has been not trustworthy in the past by issuing a intermediate certificate to a company for questionable purposes. See http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html - There also have been successful intrusions into CAs (e.g. DigiNotar, Comodo), leading to more fraudulent certificates.

So the current trust concept in browsers is horribly broken since there are way to many CAs that are trusted by default and one untrustworthy CA breaks the whole system. It has been proved, that there is more than one CA being not trustworthy and nobody can predict which one is next. Perspectives is a interesting approach to circumvent the problem of an MitM with a fraudulent cert while also making the CA's expensive certificates superfluous.

They don't need a forged certificate, just a modified (possibly using a plugin) copy of the browser, with packet capture logic. Fingerprint checking won't do anything.

It's a work machine. Don't load any data onto it that you don't want your employer to have.

On some browsers, capturing encrypted packets might be as simple as changing the "don't cache HTTPS pages" configuration option and grabbing pages from the cache.

• StackOverflow Question: Will web browsers cache content over https?

The deleted answers are especially relevant, in particular the one that points out in IE, "Do not save encrypted pages to disk" is disabled by default.

Using Linux (or Cygwin under Windows), you can do this to see the cert (including the certificate chain): echo | openssl s_client -connect HOST:443. Just change HOST to mail.google.com or any other HTTPS Web site. The server certificate itself is also output in base64 form, and you can compare that to the same cert obtained from outside your company. If they match exactly, you are OK. If they differ, check the certificate chain for certificate authorities that look bogus. It doesn't necessarilly mean you are being MITM'ed, but it's possible.

Keep in mind that for huge companies like Google, the server cert you get from within your company might come from a server that is geographically remote from the server you access from outside of the company. Thus, they may have different certs, but the certificate chain should contain only valid certificate authorities. If you see a suspicious certificate authority in the chain, consider not using Gmail from work.