Is it safe to check personal accounts in work computer?
up vote
3
down vote
favorite
So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?
And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?
What are your thoughts ?
Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?
Thanks
security
asked yesterday
Steve P
193
add a comment |
up vote
3
down vote
favorite
So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?
And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?
What are your thoughts ?
Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?
Thanks
security
asked yesterday
Steve P
193
1
Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday
1
In any case, how could we reply without knowing your location?
– Mawg
22 hours ago
2
You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago
2
@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago
2
This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio♦
9 hours ago
add a comment |
up vote
3
down vote
favorite
up vote
3
down vote
favorite
So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?
And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?
What are your thoughts ?
Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?
Thanks
security
asked yesterday
Steve P
193
So sometimes I check things like my personal emails and do financial transactions like pay bills on my work computer. I came across an article recently that it said your work monitors every little thing you do on the computer so it’s best not to do personal things on there but I would think that it’s safe as long as you safely log out of your accounts and clear history?
And even if your employer can see yor activity on the computer, I would assume they have no way of seeing your online passwords and accounts? Can they?
What are your thoughts ?
Is it ok to do such things on work ocmputer like pay bills and so on?
And is there’s and risk involved ?
Thanks
security
security
asked yesterday
Steve P
193
asked yesterday
Steve P
193
asked yesterday
Steve P
193
asked yesterday
Steve P
193
asked yesterday
Steve P
193
193
1
Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday
1
In any case, how could we reply without knowing your location?
– Mawg
22 hours ago
2
You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago
2
@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago
2
This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio♦
9 hours ago
add a comment |
1
Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday
1
In any case, how could we reply without knowing your location?
– Mawg
22 hours ago
2
You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago
2
@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago
2
This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio♦
9 hours ago
1
1
Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday
Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday
1
1
In any case, how could we reply without knowing your location?
– Mawg
22 hours ago
In any case, how could we reply without knowing your location?
– Mawg
22 hours ago
2
2
You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago
You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago
2
2
@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago
@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago
2
2
This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio♦
9 hours ago
This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio♦
9 hours ago
add a comment |
5 Answers
5
active
oldest
votes
up vote
10
down vote
It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.
All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.
The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.
Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.
answered yesterday
Monica Cellio♦
44.8k18115198
It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
– piet.t
23 hours ago
Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Even if you are putting the password in a https site? They can still see it?
– Steve P
15 hours ago
3
Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
– Dan
14 hours ago
That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
– Steve P
14 hours ago
|
show 7 more comments
up vote
4
down vote
A)
Is it OK to do?
Yes, generally.
B)
Is it advisable to do?
No, if avoidable don't do it.
C)
Are there risks?
Yes.
A)
You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.
C)
Legally employers are allowed to monitor their computers and network/internet access.
This includes keyloggers, screencapture and other soft- or hardware mechanisms.
The risk is that you don't know who exactly has access to those logs and with them your private information.
They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.
B)
Most of the time there won't be an issue.
However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.
answered yesterday
DigitalBlade969
3,8241418
Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
@SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
– Pac0
15 hours ago
So if I’m typing a password in an https website, can they see my password?
– Steve P
15 hours ago
@SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
– David Thornley
13 hours ago
Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
– Steve P
5 hours ago
add a comment |
up vote
0
down vote
I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.
On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.
But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.
Edit:
Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.
answered yesterday
Time4Tea
3,48031130
3
The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
– Charles E. Grant
yesterday
Can they see your passwordsnyou type in on https websites?
– Steve P
15 hours ago
@SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
– Time4Tea
15 hours ago
How likely is that? And I thought https websites protect you and encrypt everything ?
– Steve P
14 hours ago
And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
– Steve P
14 hours ago
|
show 6 more comments
up vote
0
down vote
To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.
Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.
answered 12 hours ago
Dan
6,75221325
add a comment |
up vote
0
down vote
If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.
The attack is essentially:
- Company configures all their computers to accept a company-issued top-level security certificate.
- When you connect to your bank's secure web site, it will go though the proxy server.
- The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.
- The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.
- Your browser accepts that, because it thinks the certificate is genuine.
Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.
The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.
If it's all done correctly, neither you nor the bank sees anything wrong.
answered 5 hours ago
Simon B
2,8402816
Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
– Steve P
5 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "423"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: false,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f124614%2fis-it-safe-to-check-personal-accounts-in-work-computer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
StackExchange.ready(function () {
$("#show-editor-button input, #show-editor-button button").click(function () {
var showEditor = function() {
$("#show-editor-button").hide();
$("#post-form").removeClass("dno");
StackExchange.editor.finallyInit();
};
var useFancy = $(this).data('confirm-use-fancy');
if(useFancy == 'True') {
var popupTitle = $(this).data('confirm-fancy-title');
var popupBody = $(this).data('confirm-fancy-body');
var popupAccept = $(this).data('confirm-fancy-accept-button');
$(this).loadPopup({
url: '/post/self-answer-popup',
loaded: function(popup) {
var pTitle = $(popup).find('h2');
var pBody = $(popup).find('.popup-body');
var pSubmit = $(popup).find('.popup-submit');
pTitle.text(popupTitle);
pBody.html(popupBody);
pSubmit.val(popupAccept).click(showEditor);
}
})
} else{
var confirmText = $(this).data('confirm-text');
if (confirmText ? confirm(confirmText) : true) {
showEditor();
}
}
});
});
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
10
down vote
It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.
All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.
The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.
Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.
answered yesterday
Monica Cellio♦
44.8k18115198
It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
– piet.t
23 hours ago
Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Even if you are putting the password in a https site? They can still see it?
– Steve P
15 hours ago
3
Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
– Dan
14 hours ago
That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
– Steve P
14 hours ago
|
show 7 more comments
up vote
10
down vote
It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.
All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.
The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.
Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.
answered yesterday
Monica Cellio♦
44.8k18115198
It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
– piet.t
23 hours ago
Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Even if you are putting the password in a https site? They can still see it?
– Steve P
15 hours ago
3
Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
– Dan
14 hours ago
That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
– Steve P
14 hours ago
|
show 7 more comments
up vote
10
down vote
up vote
10
down vote
It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.
All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.
The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.
Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.
answered yesterday
Monica Cellio♦
44.8k18115198
It's safest to assume your employer can see everything. Now if the sites you visit are all property secured they shouldn't be able to eavesdrop passwords, that data could still be in your browser. This site isn't the place for a technical analysis; instead let's focus on the human element. Have you ever forgotten to clear a session? Have you ever let your browser remember an "unimportant" password? Even the most careful humans goof sometimes.
All that said, your IT department probably doesn't care. You probably face a bigger risk from other users of your computer -- you're probably not perfect at locking when you step away, right? Or you might get a new machine and hand the old one off to an intern without reimaging.
The chance of having your private data compromised is very small in most workplaces, but it is not zero. If checking your bank balance from work is that important, you might decide it's fine. On the other hand, you could wait until you get home, or use your phone.
Finally, you should assume that your non-private browsing activity is all logged -- URLs, timestamps, and maybe other stuff. IT departments do look at this information sometimes -- usually in the aggregate, but if they see something interesting they might drill down.
answered yesterday
Monica Cellio♦
44.8k18115198
answered yesterday
Monica Cellio♦
44.8k18115198
answered yesterday
Monica Cellio♦
44.8k18115198
answered yesterday
Monica Cellio♦
44.8k18115198
44.8k18115198
It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
– piet.t
23 hours ago
Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Even if you are putting the password in a https site? They can still see it?
– Steve P
15 hours ago
3
Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
– Dan
14 hours ago
That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
– Steve P
14 hours ago
|
show 7 more comments
It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
– piet.t
23 hours ago
Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Even if you are putting the password in a https site? They can still see it?
– Steve P
15 hours ago
3
Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
– Dan
14 hours ago
That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
– Steve P
14 hours ago
It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
– piet.t
23 hours ago
It is not unheard of for corporate proxies to intercept TLS-connections - primarily for virus-scanning, but in theory they could also eavesdrop passwords this way.
– piet.t
23 hours ago
Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Thank you, do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Even if you are putting the password in a https site? They can still see it?
– Steve P
15 hours ago
Even if you are putting the password in a https site? They can still see it?
– Steve P
15 hours ago
3
3
Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
– Dan
14 hours ago
Some work places have key loggers installed. In such a case, important items like credit card numbers, etc might be visible.
– Dan
14 hours ago
That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
– Steve P
14 hours ago
That’s ridiculous, can they even see your passsord and username you type in to a secure https website? And can they see your billing statements and email likening you pull them up? Is it legal? And do they Have to let the employees know and if so where can I find no the companies internet use policy
– Steve P
14 hours ago
|
show 7 more comments
up vote
4
down vote
A)
Is it OK to do?
Yes, generally.
B)
Is it advisable to do?
No, if avoidable don't do it.
C)
Are there risks?
Yes.
A)
You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.
C)
Legally employers are allowed to monitor their computers and network/internet access.
This includes keyloggers, screencapture and other soft- or hardware mechanisms.
The risk is that you don't know who exactly has access to those logs and with them your private information.
They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.
B)
Most of the time there won't be an issue.
However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.
answered yesterday
DigitalBlade969
3,8241418
Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
@SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
– Pac0
15 hours ago
So if I’m typing a password in an https website, can they see my password?
– Steve P
15 hours ago
@SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
– David Thornley
13 hours ago
Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
– Steve P
5 hours ago
add a comment |
up vote
4
down vote
A)
Is it OK to do?
Yes, generally.
B)
Is it advisable to do?
No, if avoidable don't do it.
C)
Are there risks?
Yes.
A)
You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.
C)
Legally employers are allowed to monitor their computers and network/internet access.
This includes keyloggers, screencapture and other soft- or hardware mechanisms.
The risk is that you don't know who exactly has access to those logs and with them your private information.
They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.
B)
Most of the time there won't be an issue.
However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.
answered yesterday
DigitalBlade969
3,8241418
Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
@SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
– Pac0
15 hours ago
So if I’m typing a password in an https website, can they see my password?
– Steve P
15 hours ago
@SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
– David Thornley
13 hours ago
Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
– Steve P
5 hours ago
add a comment |
up vote
4
down vote
up vote
4
down vote
A)
Is it OK to do?
Yes, generally.
B)
Is it advisable to do?
No, if avoidable don't do it.
C)
Are there risks?
Yes.
A)
You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.
C)
Legally employers are allowed to monitor their computers and network/internet access.
This includes keyloggers, screencapture and other soft- or hardware mechanisms.
The risk is that you don't know who exactly has access to those logs and with them your private information.
They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.
B)
Most of the time there won't be an issue.
However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.
answered yesterday
DigitalBlade969
3,8241418
A)
Is it OK to do?
Yes, generally.
B)
Is it advisable to do?
No, if avoidable don't do it.
C)
Are there risks?
Yes.
A)
You can use your work computer and internet access if there are no policies or contract paragraphs prohibiting it.
C)
Legally employers are allowed to monitor their computers and network/internet access.
This includes keyloggers, screencapture and other soft- or hardware mechanisms.
The risk is that you don't know who exactly has access to those logs and with them your private information.
They could be stolen or sold by a disgruntled or criminal employee or used against you in some form.
B)
Most of the time there won't be an issue.
However, it is generally prudent to avoid using third party equipment or internet access for private, sensitive activities.
answered yesterday
DigitalBlade969
3,8241418
answered yesterday
DigitalBlade969
3,8241418
answered yesterday
DigitalBlade969
3,8241418
answered yesterday
DigitalBlade969
3,8241418
3,8241418
Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
@SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
– Pac0
15 hours ago
So if I’m typing a password in an https website, can they see my password?
– Steve P
15 hours ago
@SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
– David Thornley
13 hours ago
Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
– Steve P
5 hours ago
add a comment |
Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
@SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
– Pac0
15 hours ago
So if I’m typing a password in an https website, can they see my password?
– Steve P
15 hours ago
@SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
– David Thornley
13 hours ago
Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
– Steve P
5 hours ago
Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
Thanks. So you are saying they damn even have Keyloggers? do you think they can see your password of an account? And can they see what you’re looking at liken ifnyou are looking at your statement ?
– Steve P
15 hours ago
@SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
– Pac0
15 hours ago
@SteveP "They have keyloggers" -> I don't think you should understand it as this. It means that, as any computer that is physically in control by someone else, it can have keyloggers installed without you being able to know it. So, from a security point of view, you can assume there is one.
– Pac0
15 hours ago
So if I’m typing a password in an https website, can they see my password?
– Steve P
15 hours ago
So if I’m typing a password in an https website, can they see my password?
– Steve P
15 hours ago
@SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
– David Thornley
13 hours ago
@SteveP If they record what you type as you type it, they've got your password. If they record all http and https traffic, they can read if if they have your private key, which they likely do. They at least have access to it, assuming you don't keep it on a USB drive that you can plug in (and that's guarded against at some companies). If they have a proxy that can be used as a man-in-the-middle attack, and have modified browsers to accept their certificate, they can read your password.
– David Thornley
13 hours ago
Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
– Steve P
5 hours ago
Wow according to that, they always have your password? I thought everything is encrypted on https websites? I thought they can only see tour oassword if they have a Keylogger and if they do they have to notify employees first ?
– Steve P
5 hours ago
add a comment |
up vote
0
down vote
I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.
On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.
But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.
Edit:
Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.
answered yesterday
Time4Tea
3,48031130
3
The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
– Charles E. Grant
yesterday
Can they see your passwordsnyou type in on https websites?
– Steve P
15 hours ago
@SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
– Time4Tea
15 hours ago
How likely is that? And I thought https websites protect you and encrypt everything ?
– Steve P
14 hours ago
And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
– Steve P
14 hours ago
|
show 6 more comments
up vote
0
down vote
I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.
On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.
But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.
Edit:
Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.
answered yesterday
Time4Tea
3,48031130
3
The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
– Charles E. Grant
yesterday
Can they see your passwordsnyou type in on https websites?
– Steve P
15 hours ago
@SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
– Time4Tea
15 hours ago
How likely is that? And I thought https websites protect you and encrypt everything ?
– Steve P
14 hours ago
And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
– Steve P
14 hours ago
|
show 6 more comments
up vote
0
down vote
up vote
0
down vote
I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.
On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.
But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.
Edit:
Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.
answered yesterday
Time4Tea
3,48031130
I'm not an expert on cyber security, but I would think a company could, in principle, track anything that is being done on a computer that they own.
On my corporate laptop, I have to go through an internet proxy, so for sure they have a record of every website I have navigated to. If they wanted to, I'm sure they could monitor anything I type into a text field on a web page on that machine (including usernames/passwords). So, there could potentially be a risk.
But, having said that, I would think most companies have better things to be doing and would not want the level of risk associated with pilfering cash from their employees' bank accounts or selling their personal data. A particularly unscrupulous company could do it, in theory, but the chances are probably quite low.
Edit:
Chances are probably higher that a rogue individual working in IT might do something nefarious, so there is a level of risk. I admit that I check bank accounts on my machine though, so I'm not too bothered about it.
answered yesterday
Time4Tea
3,48031130
edited yesterday
answered yesterday
Time4Tea
3,48031130
answered yesterday
Time4Tea
3,48031130
answered yesterday
Time4Tea
3,48031130
3,48031130
3
The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
– Charles E. Grant
yesterday
Can they see your passwordsnyou type in on https websites?
– Steve P
15 hours ago
@SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
– Time4Tea
15 hours ago
How likely is that? And I thought https websites protect you and encrypt everything ?
– Steve P
14 hours ago
And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
– Steve P
14 hours ago
|
show 6 more comments
3
The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
– Charles E. Grant
yesterday
Can they see your passwordsnyou type in on https websites?
– Steve P
15 hours ago
@SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
– Time4Tea
15 hours ago
How likely is that? And I thought https websites protect you and encrypt everything ?
– Steve P
14 hours ago
And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
– Steve P
14 hours ago
3
3
The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
– Charles E. Grant
yesterday
The degree to which surveillance by employers is legal varies by country. In the US employers are generally free to install keyloggers, which record every keystroke, and can take snapshots of your display. However, they must alert you that they are doing so. Furthermore, they are not allowed to use any passwords they observe to access your personal accounts.
– Charles E. Grant
yesterday
Can they see your passwordsnyou type in on https websites?
– Steve P
15 hours ago
Can they see your passwordsnyou type in on https websites?
– Steve P
15 hours ago
@SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
– Time4Tea
15 hours ago
@SteveP if they have some sort of backdoor, then they could probably install a keylogger. If they have control over the machine, they could potentially see anything you do, I would think.
– Time4Tea
15 hours ago
How likely is that? And I thought https websites protect you and encrypt everything ?
– Steve P
14 hours ago
How likely is that? And I thought https websites protect you and encrypt everything ?
– Steve P
14 hours ago
And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
– Steve P
14 hours ago
And that’s ridiculous I would think it’s illegal for employers to install keyloggers ?
– Steve P
14 hours ago
|
show 6 more comments
up vote
0
down vote
To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.
Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.
answered 12 hours ago
Dan
6,75221325
add a comment |
up vote
0
down vote
To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.
Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.
answered 12 hours ago
Dan
6,75221325
add a comment |
up vote
0
down vote
up vote
0
down vote
To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.
Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.
answered 12 hours ago
Dan
6,75221325
To explain a somewhat funny/amusing story, a long time ago I was working in my college and a professor was explaining how he encrypts all his homework answers on this shared unix system using some pretty fancy encryption methods at the time. He said no one could crack the password in a hundred thousand years using all of the university's servers and certainly not the current semester. That night I emailed him the entire semester's solution and he was livid. How did I crack it, he would ask. Simple, I looked back in his command history and saw he entered a password in the command line tool, a very well made password with numbers, etc but it meant nothing when I knew it.
Point is, there's no way to know what level of security the system has. You type in sensitive material, it might be viewed by anyone, even in some cases your coworkers. Your work station most likely has connections to proxy servers, and key loggers installed. All easy stuff to monitor and view on the end of a system admin or just a curious coworker. You should assume everything you do in a public space is viewable by the public at large. All the security in the world means nothing when it is filtered through a controlled system.
answered 12 hours ago
Dan
6,75221325
answered 12 hours ago
Dan
6,75221325
answered 12 hours ago
Dan
6,75221325
answered 12 hours ago
Dan
6,75221325
6,75221325
add a comment |
add a comment |
up vote
0
down vote
If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.
The attack is essentially:
- Company configures all their computers to accept a company-issued top-level security certificate.
- When you connect to your bank's secure web site, it will go though the proxy server.
- The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.
- The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.
- Your browser accepts that, because it thinks the certificate is genuine.
Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.
The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.
If it's all done correctly, neither you nor the bank sees anything wrong.
answered 5 hours ago
Simon B
2,8402816
Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
– Steve P
5 hours ago
add a comment |
up vote
0
down vote
If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.
The attack is essentially:
- Company configures all their computers to accept a company-issued top-level security certificate.
- When you connect to your bank's secure web site, it will go though the proxy server.
- The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.
- The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.
- Your browser accepts that, because it thinks the certificate is genuine.
Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.
The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.
If it's all done correctly, neither you nor the bank sees anything wrong.
answered 5 hours ago
Simon B
2,8402816
Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
– Steve P
5 hours ago
add a comment |
up vote
0
down vote
up vote
0
down vote
If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.
The attack is essentially:
- Company configures all their computers to accept a company-issued top-level security certificate.
- When you connect to your bank's secure web site, it will go though the proxy server.
- The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.
- The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.
- Your browser accepts that, because it thinks the certificate is genuine.
Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.
The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.
If it's all done correctly, neither you nor the bank sees anything wrong.
answered 5 hours ago
Simon B
2,8402816
If the company controls what security certificates the web browser accepts, then they can intercept and decode any HTTPS-encoded traffic to any web site. The only additional thing they need to do is install a proxy server between your desktop computer and the internet - and most companies have that anyway.
The attack is essentially:
- Company configures all their computers to accept a company-issued top-level security certificate.
- When you connect to your bank's secure web site, it will go though the proxy server.
- The proxy server traps the request for a security certificate. It sends on the request to the bank, and the bank sends back a valid certificate. The proxy server keeps that certificate.
- The proxy server makes up a new certificate, in the name of the bank, but authorized using the company's own top-level certificate.
- Your browser accepts that, because it thinks the certificate is genuine.
Now when you type in your banking password, the proxy server can decrypt it, because it set up the secure connection to the browser, not the bank. The proxy server can then re-encrypt the password and send it on to the bank.
The proxy server can also decrypt the data coming back from the bank, because it set up the connection to the bank, not your browser. Again, having snooped on the data, it re-encrypts it and sends it on to your browser.
If it's all done correctly, neither you nor the bank sees anything wrong.
answered 5 hours ago
Simon B
2,8402816
answered 5 hours ago
Simon B
2,8402816
answered 5 hours ago
Simon B
2,8402816
answered 5 hours ago
Simon B
2,8402816
2,8402816
Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
– Steve P
5 hours ago
add a comment |
Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
– Steve P
5 hours ago
Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
– Steve P
5 hours ago
Wow so essentially even in https websites passwords are decrypted by the browser and therefore the employer IT states sees it? And does it get recorded like what if I clear all history after I log off?
– Steve P
5 hours ago
add a comment |
Thanks for contributing an answer to The Workplace Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f124614%2fis-it-safe-to-check-personal-accounts-in-work-computer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Closely related: Secure way to log in to a website on someone else's computer
– Dukeling
yesterday
1
In any case, how could we reply without knowing your location?
– Mawg
22 hours ago
2
You might get an answer on security.stackexchange.com but don't forget law.stackexchange.com
– Mawg
22 hours ago
2
@AffableAmbler there are specific things that tie this to the workplace. You have different privacy rights and expectations in the workplace than if you're using a paid service (such as an internet cafe or ISP) or free wifi. In some (most?) countries there are explicit laws about what rights employees have. However, location is certainly important.
– Stuart F
14 hours ago
2
This is on-topic here. Answers need to focus on the workplace aspect and not the general security aspect (as I think I demonstrated in my answer). Companies can and do have policies about this and jurisdictions can and do have laws about this, and it is an absolutely valid workplace concern.
– Monica Cellio♦
9 hours ago