Comments

Subscribe to the comments RSS feed.

Comment #1 posted on 2016-08-18 19:17:47 by Ken Fallon

Not allowed in the EU

Excellent episode as always.

IAMAL but in the EU at least it is not permissible to intercept all communications via a local ssl cert, even if a policy is in place about non personal use of computers.

Google Chrome also implements checks to alert if the cert used on a site doesn't match the known cert (eg google.com turns out to be company.example.com)

Ken.

Comment #2 posted on 2016-08-19 16:29:00 by Kevin O'Brien

Different in EU

Well, I am not a lawyer either, but it looks like EU and US are different in this regard. I can say that in the US the courts have ruled that it is legal since the company owns the computers.

Comment #3 posted on 2016-09-21 15:03:16 by clacke

Different within EU

Dropping in on the convo without having heard the episode (yet).

I'm in Sweden (which is in the EU), and the company I'm currently contracting for are pretty careful about dotting their i's and crossing their lawyerly t's, so I don't believe they would be risking doing anything illegal.

They intercept TLS traffic, but I don't know if they store anything, or if it's just for the content filter to work and then gets thrown away. Maybe that makes a difference.

Google Chrome uses the OS certificate list. So if you are on your company-issued Windows computer that has the firewall's TLS CA installed to facilitate interception, Chrome will accept the CA just as if it were a real CA. Firefox won't, because it has its own list.

Leave Comment

Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.

Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).