[GTALUG] Decrypting and Re-encrypting Network Traffic

[James Knott]

On 2019-09-10 05:09 PM, Giles Orr via talk wrote:
> Decrypting and re-encrypting network traffic is becoming more and more
> popular.  I think it's an appalling violation of both trust and
> privacy, but corporations seem to feel justified to "protect their
> network" (it's not necessary to explain the logic to me, I get it ...
> I'm just more about individual rights).  Or maybe they're just doing
> it to mine your data, depending on the context.
>
> There seem to be two circumstances (this is just about web traffic):
> - a private computer on a shared network, ex. you take your personal
> computer to a coffeeshop
> - a company computer on a company network, ex. you sit down at your
> work computer
>
> I think I understand the latter: with a company computer on a company
> network, all that's necessary is to push a trusted certificate and all
> future communications will be done with that newly trusted cert and,
> well, you're hosed.  Everything you send is examined and re-encrypted
> with the receiving site's certificate at the company firewall.  Can
> this be detected?  Can this be prevented?
>
> It seems that some shared networks (ie. the coffeeshop in the above
> examples) manage to do this to people: is this only possible if they
> convince you to install something, and presumably that install package
> includes a certificate?  Or is there another way?
>

I'm not sure where you're going with this.  For example the coffee shop,
it's long been recommended people use a VPN to prevent eavesdropping and
hacking.  Is this what you're referring to?  Why is that a problem? 
I've never heard of a coffee shop forcing you to install something.  I
have, however, come across some restaurants, where you have to register
and then get hit with ads etc.  I won't use those ones.  As for company
equipment on a company network, well that's entirely the company's business.