Hacker News new | comments | show | ask | jobs | submit login

I'd also be concerned if an employer was doing it, unless there was a good reason - and I can think of a few of those. For example, companies that deal with sensitive health, financial or legal information. They may need assurances (or at least a paper trail) that's a lot stronger than "we don't MITM and we trust our employees to do the right thing".

Even with those reasons, I believe the risk outweighs the potential benefits. It's not just about trusting the intentions and assurances of the company, but also their competency and knowing they're not being compromised etc. Hackers don't care about paper trails. These are things you typically can't measure.

If you have untrustworthy employees, you have bigger problems than you can solve with by MITM attacking everyone.

I've worked at a couple financial institutions where all http/https traffic is proxied transparently (with internal key installed on corp computers)... certainly makes working with command line utils interesting... HTTP_PROXY HTTPS_PROXY are mostly friendly, but some aren't so nice.

> For example, companies that deal with sensitive health [..] information

I can understand this motivation but I'm not sure in practice the SSL interception really gives you more than the traffic metadata I already described. I think this is interesting though, so I've sent an FoI request to NHS England out of curiosity to see if they're doing anything like this.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact