Is it safe to check personal accounts in work computer?











up vote
3
down vote

favorite












So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?



And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?



What are your thoughts ?



Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?



Thanks










share|improve this question


















  • 1




    Closely related: Secure way to log in to a website on someone else's computer
    – Dukeling
    yesterday






  • 1




    In any case, how could we reply without knowing your location?
    – Mawg
    22 hours ago






  • 2




    You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
    – Mawg
    22 hours ago






  • 2




    @AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
    – Stuart F
    14 hours ago






  • 2




    This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
    – Monica Cellio
    9 hours ago















up vote
3
down vote

favorite












So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?



And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?



What are your thoughts ?



Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?



Thanks










share|improve this question


















  • 1




    Closely related: Secure way to log in to a website on someone else's computer
    – Dukeling
    yesterday






  • 1




    In any case, how could we reply without knowing your location?
    – Mawg
    22 hours ago






  • 2




    You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
    – Mawg
    22 hours ago






  • 2




    @AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
    – Stuart F
    14 hours ago






  • 2




    This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
    – Monica Cellio
    9 hours ago













up vote
3
down vote

favorite









up vote
3
down vote

favorite











So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?



And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?



What are your thoughts ?



Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?



Thanks










share|improve this question













So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?



And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?



What are your thoughts ?



Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?



Thanks







security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked yesterday









Steve P

193




193








  • 1




    Closely related: Secure way to log in to a website on someone else's computer
    – Dukeling
    yesterday






  • 1




    In any case, how could we reply without knowing your location?
    – Mawg
    22 hours ago






  • 2




    You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
    – Mawg
    22 hours ago






  • 2




    @AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
    – Stuart F
    14 hours ago






  • 2




    This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
    – Monica Cellio
    9 hours ago














  • 1




    Closely related: Secure way to log in to a website on someone else's computer
    – Dukeling
    yesterday






  • 1




    In any case, how could we reply without knowing your location?
    – Mawg
    22 hours ago






  • 2




    You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
    – Mawg
    22 hours ago






  • 2




    @AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
    – Stuart F
    14 hours ago






  • 2




    This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
    – Monica Cellio
    9 hours ago








1




1




Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday




Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday




1




1




In any case, how could we reply without knowing your location?
– Mawg
22 hours ago




In any case, how could we reply without knowing your location?
– Mawg
22 hours ago




2




2




You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago




You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago




2




2




@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago




@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago




2




2




This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio
9 hours ago




This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio
9 hours ago










5 Answers
5






active

oldest

votes

















up vote
10
down vote













It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.



All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.



The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.



Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.






share|improve this answer





















  • It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
    – piet.t
    23 hours ago










  • Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
    – Steve P
    15 hours ago










  • Even if you are putting the password in a https site? They can still see it?
    – Steve P
    15 hours ago






  • 3




    Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
    – Dan
    14 hours ago










  • That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
    – Steve P
    14 hours ago


















up vote
4
down vote













A)

Is it OK to do?
Yes, generally.



B)

Is it advisable to do?
No, if avoidable don't do it.



C)

Are there risks?
Yes.



A)

You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.



C)

Legally employers are allowed to monitor their computers and network/internet access.

This includes keyloggers, screencapture and other soft- or hardware mechanisms.



The risk is that you don't know who exactly has access to those logs and with them your private information.

They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.



B)

Most of the time there won't be an issue.

However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.






share|improve this answer





















  • Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
    – Steve P
    15 hours ago










  • @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
    – Pac0
    15 hours ago












  • So if I’m typing a password in an https website, can they see my password?
    – Steve P
    15 hours ago










  • @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
    – David Thornley
    13 hours ago










  • Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
    – Steve P
    5 hours ago


















up vote
0
down vote













I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.



On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.



But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.



Edit:



Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.






share|improve this answer



















  • 3




    The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
    – Charles E. Grant
    yesterday












  • Can they see your passwordsnyou type in on https websites?
    – Steve P
    15 hours ago










  • @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
    – Time4Tea
    15 hours ago










  • How likely is that? And I thought https websites protect you and encrypt everything ?
    – Steve P
    14 hours ago










  • And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
    – Steve P
    14 hours ago


















up vote
0
down vote













To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.



Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.






share|improve this answer




























    up vote
    0
    down vote













    If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.



    The attack is essentially:




    • Company configures all their computers to accept a company-issued top-level security certificate.

    • When you connect to your bank's secure web site, it will go though the proxy server.

    • The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.

    • The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.

    • Your browser accepts that, because it thinks the certificate is genuine.


    Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.



    The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.



    If it's all done correctly, neither you nor the bank sees anything wrong.






    share|improve this answer





















    • Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
      – Steve P
      5 hours ago











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "423"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: false,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f124614%2fis-it-safe-to-check-personal-accounts-in-work-computer%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown




















    StackExchange.ready(function () {
    $("#show-editor-button input, #show-editor-button button").click(function () {
    var showEditor = function() {
    $("#show-editor-button").hide();
    $("#post-form").removeClass("dno");
    StackExchange.editor.finallyInit();
    };

    var useFancy = $(this).data('confirm-use-fancy');
    if(useFancy == 'True') {
    var popupTitle = $(this).data('confirm-fancy-title');
    var popupBody = $(this).data('confirm-fancy-body');
    var popupAccept = $(this).data('confirm-fancy-accept-button');

    $(this).loadPopup({
    url: '/post/self-answer-popup',
    loaded: function(popup) {
    var pTitle = $(popup).find('h2');
    var pBody = $(popup).find('.popup-body');
    var pSubmit = $(popup).find('.popup-submit');

    pTitle.text(popupTitle);
    pBody.html(popupBody);
    pSubmit.val(popupAccept).click(showEditor);
    }
    })
    } else{
    var confirmText = $(this).data('confirm-text');
    if (confirmText ? confirm(confirmText) : true) {
    showEditor();
    }
    }
    });
    });






    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    10
    down vote













    It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.



    All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.



    The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.



    Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.






    share|improve this answer





















    • It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
      – piet.t
      23 hours ago










    • Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • Even if you are putting the password in a https site? They can still see it?
      – Steve P
      15 hours ago






    • 3




      Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
      – Dan
      14 hours ago










    • That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
      – Steve P
      14 hours ago















    up vote
    10
    down vote













    It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.



    All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.



    The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.



    Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.






    share|improve this answer





















    • It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
      – piet.t
      23 hours ago










    • Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • Even if you are putting the password in a https site? They can still see it?
      – Steve P
      15 hours ago






    • 3




      Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
      – Dan
      14 hours ago










    • That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
      – Steve P
      14 hours ago













    up vote
    10
    down vote










    up vote
    10
    down vote









    It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.



    All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.



    The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.



    Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.






    share|improve this answer












    It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.



    All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.



    The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.



    Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered yesterday









    Monica Cellio

    44.8k18115198




    44.8k18115198












    • It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
      – piet.t
      23 hours ago










    • Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • Even if you are putting the password in a https site? They can still see it?
      – Steve P
      15 hours ago






    • 3




      Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
      – Dan
      14 hours ago










    • That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
      – Steve P
      14 hours ago


















    • It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
      – piet.t
      23 hours ago










    • Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • Even if you are putting the password in a https site? They can still see it?
      – Steve P
      15 hours ago






    • 3




      Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
      – Dan
      14 hours ago










    • That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
      – Steve P
      14 hours ago
















    It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
    – piet.t
    23 hours ago




    It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
    – piet.t
    23 hours ago












    Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
    – Steve P
    15 hours ago




    Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
    – Steve P
    15 hours ago












    Even if you are putting the password in a https site? They can still see it?
    – Steve P
    15 hours ago




    Even if you are putting the password in a https site? They can still see it?
    – Steve P
    15 hours ago




    3




    3




    Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
    – Dan
    14 hours ago




    Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
    – Dan
    14 hours ago












    That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
    – Steve P
    14 hours ago




    That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
    – Steve P
    14 hours ago












    up vote
    4
    down vote













    A)

    Is it OK to do?
    Yes, generally.



    B)

    Is it advisable to do?
    No, if avoidable don't do it.



    C)

    Are there risks?
    Yes.



    A)

    You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.



    C)

    Legally employers are allowed to monitor their computers and network/internet access.

    This includes keyloggers, screencapture and other soft- or hardware mechanisms.



    The risk is that you don't know who exactly has access to those logs and with them your private information.

    They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.



    B)

    Most of the time there won't be an issue.

    However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.






    share|improve this answer





















    • Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
      – Pac0
      15 hours ago












    • So if I’m typing a password in an https website, can they see my password?
      – Steve P
      15 hours ago










    • @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
      – David Thornley
      13 hours ago










    • Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
      – Steve P
      5 hours ago















    up vote
    4
    down vote













    A)

    Is it OK to do?
    Yes, generally.



    B)

    Is it advisable to do?
    No, if avoidable don't do it.



    C)

    Are there risks?
    Yes.



    A)

    You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.



    C)

    Legally employers are allowed to monitor their computers and network/internet access.

    This includes keyloggers, screencapture and other soft- or hardware mechanisms.



    The risk is that you don't know who exactly has access to those logs and with them your private information.

    They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.



    B)

    Most of the time there won't be an issue.

    However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.






    share|improve this answer





















    • Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
      – Pac0
      15 hours ago












    • So if I’m typing a password in an https website, can they see my password?
      – Steve P
      15 hours ago










    • @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
      – David Thornley
      13 hours ago










    • Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
      – Steve P
      5 hours ago













    up vote
    4
    down vote










    up vote
    4
    down vote









    A)

    Is it OK to do?
    Yes, generally.



    B)

    Is it advisable to do?
    No, if avoidable don't do it.



    C)

    Are there risks?
    Yes.



    A)

    You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.



    C)

    Legally employers are allowed to monitor their computers and network/internet access.

    This includes keyloggers, screencapture and other soft- or hardware mechanisms.



    The risk is that you don't know who exactly has access to those logs and with them your private information.

    They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.



    B)

    Most of the time there won't be an issue.

    However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.






    share|improve this answer












    A)

    Is it OK to do?
    Yes, generally.



    B)

    Is it advisable to do?
    No, if avoidable don't do it.



    C)

    Are there risks?
    Yes.



    A)

    You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.



    C)

    Legally employers are allowed to monitor their computers and network/internet access.

    This includes keyloggers, screencapture and other soft- or hardware mechanisms.



    The risk is that you don't know who exactly has access to those logs and with them your private information.

    They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.



    B)

    Most of the time there won't be an issue.

    However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered yesterday









    DigitalBlade969

    3,8241418




    3,8241418












    • Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
      – Pac0
      15 hours ago












    • So if I’m typing a password in an https website, can they see my password?
      – Steve P
      15 hours ago










    • @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
      – David Thornley
      13 hours ago










    • Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
      – Steve P
      5 hours ago


















    • Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
      – Steve P
      15 hours ago










    • @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
      – Pac0
      15 hours ago












    • So if I’m typing a password in an https website, can they see my password?
      – Steve P
      15 hours ago










    • @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
      – David Thornley
      13 hours ago










    • Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
      – Steve P
      5 hours ago
















    Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
    – Steve P
    15 hours ago




    Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
    – Steve P
    15 hours ago












    @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
    – Pac0
    15 hours ago






    @SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
    – Pac0
    15 hours ago














    So if I’m typing a password in an https website, can they see my password?
    – Steve P
    15 hours ago




    So if I’m typing a password in an https website, can they see my password?
    – Steve P
    15 hours ago












    @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
    – David Thornley
    13 hours ago




    @SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
    – David Thornley
    13 hours ago












    Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
    – Steve P
    5 hours ago




    Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
    – Steve P
    5 hours ago










    up vote
    0
    down vote













    I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.



    On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.



    But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.



    Edit:



    Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.






    share|improve this answer



















    • 3




      The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
      – Charles E. Grant
      yesterday












    • Can they see your passwordsnyou type in on https websites?
      – Steve P
      15 hours ago










    • @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
      – Time4Tea
      15 hours ago










    • How likely is that? And I thought https websites protect you and encrypt everything ?
      – Steve P
      14 hours ago










    • And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
      – Steve P
      14 hours ago















    up vote
    0
    down vote













    I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.



    On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.



    But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.



    Edit:



    Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.






    share|improve this answer



















    • 3




      The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
      – Charles E. Grant
      yesterday












    • Can they see your passwordsnyou type in on https websites?
      – Steve P
      15 hours ago










    • @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
      – Time4Tea
      15 hours ago










    • How likely is that? And I thought https websites protect you and encrypt everything ?
      – Steve P
      14 hours ago










    • And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
      – Steve P
      14 hours ago













    up vote
    0
    down vote










    up vote
    0
    down vote









    I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.



    On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.



    But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.



    Edit:



    Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.






    share|improve this answer














    I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.



    On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.



    But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.



    Edit:



    Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited yesterday

























    answered yesterday









    Time4Tea

    3,48031130




    3,48031130








    • 3




      The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
      – Charles E. Grant
      yesterday












    • Can they see your passwordsnyou type in on https websites?
      – Steve P
      15 hours ago










    • @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
      – Time4Tea
      15 hours ago










    • How likely is that? And I thought https websites protect you and encrypt everything ?
      – Steve P
      14 hours ago










    • And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
      – Steve P
      14 hours ago














    • 3




      The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
      – Charles E. Grant
      yesterday












    • Can they see your passwordsnyou type in on https websites?
      – Steve P
      15 hours ago










    • @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
      – Time4Tea
      15 hours ago










    • How likely is that? And I thought https websites protect you and encrypt everything ?
      – Steve P
      14 hours ago










    • And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
      – Steve P
      14 hours ago








    3




    3




    The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
    – Charles E. Grant
    yesterday






    The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
    – Charles E. Grant
    yesterday














    Can they see your passwordsnyou type in on https websites?
    – Steve P
    15 hours ago




    Can they see your passwordsnyou type in on https websites?
    – Steve P
    15 hours ago












    @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
    – Time4Tea
    15 hours ago




    @SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
    – Time4Tea
    15 hours ago












    How likely is that? And I thought https websites protect you and encrypt everything ?
    – Steve P
    14 hours ago




    How likely is that? And I thought https websites protect you and encrypt everything ?
    – Steve P
    14 hours ago












    And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
    – Steve P
    14 hours ago




    And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
    – Steve P
    14 hours ago










    up vote
    0
    down vote













    To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.



    Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.






    share|improve this answer

























      up vote
      0
      down vote













      To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.



      Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.






      share|improve this answer























        up vote
        0
        down vote










        up vote
        0
        down vote









        To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.



        Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.






        share|improve this answer












        To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.



        Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 12 hours ago









        Dan

        6,75221325




        6,75221325






















            up vote
            0
            down vote













            If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.



            The attack is essentially:




            • Company configures all their computers to accept a company-issued top-level security certificate.

            • When you connect to your bank's secure web site, it will go though the proxy server.

            • The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.

            • The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.

            • Your browser accepts that, because it thinks the certificate is genuine.


            Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.



            The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.



            If it's all done correctly, neither you nor the bank sees anything wrong.






            share|improve this answer





















            • Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
              – Steve P
              5 hours ago















            up vote
            0
            down vote













            If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.



            The attack is essentially:




            • Company configures all their computers to accept a company-issued top-level security certificate.

            • When you connect to your bank's secure web site, it will go though the proxy server.

            • The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.

            • The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.

            • Your browser accepts that, because it thinks the certificate is genuine.


            Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.



            The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.



            If it's all done correctly, neither you nor the bank sees anything wrong.






            share|improve this answer





















            • Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
              – Steve P
              5 hours ago













            up vote
            0
            down vote










            up vote
            0
            down vote









            If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.



            The attack is essentially:




            • Company configures all their computers to accept a company-issued top-level security certificate.

            • When you connect to your bank's secure web site, it will go though the proxy server.

            • The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.

            • The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.

            • Your browser accepts that, because it thinks the certificate is genuine.


            Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.



            The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.



            If it's all done correctly, neither you nor the bank sees anything wrong.






            share|improve this answer












            If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.



            The attack is essentially:




            • Company configures all their computers to accept a company-issued top-level security certificate.

            • When you connect to your bank's secure web site, it will go though the proxy server.

            • The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.

            • The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.

            • Your browser accepts that, because it thinks the certificate is genuine.


            Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.



            The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.



            If it's all done correctly, neither you nor the bank sees anything wrong.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 5 hours ago









            Simon B

            2,8402816




            2,8402816












            • Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
              – Steve P
              5 hours ago


















            • Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
              – Steve P
              5 hours ago
















            Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
            – Steve P
            5 hours ago




            Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
            – Steve P
            5 hours ago


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to The Workplace Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f124614%2fis-it-safe-to-check-personal-accounts-in-work-computer%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown











            Popular posts from this blog

            Plaza Victoria

            Puebla de Zaragoza

            Musa