
Never Use Glassdoor from Work - logn
https://lustforge.com/2014/11/02/never-user-glassdoor-from-work/
======
CHY872
Right advice, wrong reason. Any moderate sized company will be aware that SSL
makes it harder for their corporate traffic monitoring to work. They don't
want SSL usage to render their monitoring software useless, so they install
their own SSL root certs on machines, and relentlessly MITM all SSL traffic.

In this case, how can SSL help?

More to the point, the corporation generally has a right to monitor all
computer usage you do on their machines - so posting disparaging comments
about them on their own machines is a particularly dumb idea - not
withstanding the Google Chrome 'Incognito Mode cannot protect you against
people standing behind you' warning.

~~~
adrianpike
What's an easy way to find out if they're doing this? Taking a look at the
certs installed in my system, unless I see "BigCo MITM Cert", I don't have a
ton of insight on what certs are and aren't supposed to be there.

Also, I'm not 100% on where all certs would be found, and short of looking at
the trust chain on each site I visit, I'm not actually sure how to know.

~~~
IgorPartola
Would anyone be interested in a site that lets you see who signed the web
server's cert from different points on the Internet? Sort of like IsItUp.com
but for MITM.

~~~
dijit
Convergence by Moxie Marlinspike does that.

doesn't work terribly well in practice though.

[http://convergence.io/](http://convergence.io/)

~~~
IgorPartola
Out of curiosity, why doesn't it work?

~~~
dijit
massive latency mostly.

although there are a lot of issues[0] on it's github page which seem to be
unaddressed.

[0] -
[https://github.com/moxie0/Convergence/issues](https://github.com/moxie0/Convergence/issues)

------
junto
Golden rules to live by: Never use work computers for personal use, period.
Your work contract more than likely specifically includes a clause.

Been there, got the T-shirt, been escorted off the premises (for sending
personal emails on work time), whilst working for large US corp. This was over
15 years ago when I was starting out and I learned a very valuable lesson.

If you are a 'trouble maker' i.e. someone who asks too many undesirable
questions or rocks the boat, then HR will find a way to fire you. Your work
contract protects them and not you.

~~~
cloakandswagger
I do most of my personal browsing through an RDP connection to my home
computer, but something that I've been concerned about: Chrome on my work
computer is logged into my personal Google account. That means all of my
extensions--including a password management tool--are available to my employer
should they choose to log into my computer.

The conspiracy-minded part of me worries that, with the proper motivation,
they could log into my email, Glassdoor, etc accounts and defensibly snoop on
me since the information was technically on one of their machines. Whether
this far flung possibility warrants foregoing the convenience of having all of
my bookmarks and logins with me at work is unclear.

~~~
PhantomGremlin
Don't do it.

Bring your personal laptop to work, browse _only_ thru the "personal hotspot"
feature of your cellphone. Don't use the corporate network for _anything_ non-
work-related.

You might object and say that it's obvious that you're doing "personal
browsing" if you're using your personal laptop. Ok, it is obvious. So just
browse during break times and lunch. You don't need to be doing extensive
personal browsing from work.

------
pythonistic
I worked for a company (Overstock.com) that on more than one occasion, during
company-wide townhalls, requested that employees use Glassdoor to review the
company. The feedback was reviewed by senior management to look for places to
improve.

------
serve_yay
Boy, I'm not sure lack of SSL is the reason you shouldn't do this!

~~~
mikeash
One of the interesting tidbits of information that came out of the Lenovo
spyware fiasco was that companies routinely MITM SSL traffic by installing
their own certificates on company computers. Unless you own and fully control
the hardware you use at work, you should just assume the company can see
anything you do with it, regardless of how encrypted it looks.

~~~
daheza
My work does not even bother to install the certificate on the individual
machines. I get unsigned cert errors all day long.

~~~
Noelkd
I would guess you use firefox which doesn't use the certs installed on the
host machine by default, I also see unsigned cert errors all day long!

------
totalrobe
Cloudfare has SSL even in their free accounts

[http://www.cloudflare.com/plans](http://www.cloudflare.com/plans)

~~~
loosescrews
True, but it is only SNI. That won't work on Windows XP and Android 2.x. I
suspect that the extra cost to get traditional SSL would be worth it for
Glassdoor.

~~~
Someone1234
I agree with that as far as Glassdoor is concerned.

However on a more general basis: I really am done caring about people still
using Windows XP. I have a little sympathy for people still on Android 2.xx
because those phones got sold way too long. But Windows XP hasn't been sold
for almost ten years and has been EOL for more than a few.

On this topic: Does Chrome for Android 2.xx support SNI?

~~~
rgbrenner
_On this topic: Does Chrome for Android 2.xx support SNI?_

There is no Chrome for Android 2.x... Chrome requires android 4.0+.

------
crazycanuck
Canary is an anonymous, secure alternative I've been working on. Check it out
if you'd like: www.canaryapp.net

------
limeyx
Darn it. Now my boss has probably tracked me reading an article about not
reading glassdoor from the company network!

------
inmyunix
so, what about SMS on corporate phones? ... do I even want to know?

