I work on a corporate laptop that has an infamous root CA certicate installed, which allows the company to intercept all my browser traffic and perform a MITM attack.
Ideally, I’d like to use the company laptop to read my own mail, access my NAS in my time off.
I fear that even if I configure containers on that laptop to run alpine + wireguard client + firefox, the traffic would still be decrypted. If so, could you explain how the wireguard handshake could be tampered with?
What about Tor in a container? Would that work or is that pointless as well?
Huge kudos if you also take the time to explain your answer.
EDIT: A lot of you suggested I use a personal device for checking mails. I will do that. Thanks for your answers!
Just run portable Firefox without the root cert?
Which browser you use won’t really matter. The company is using an SSL proxy and they’re not going to pass your traffic along and let you bypass it. You don’t really get a choice as the end user. You can accept their proxy cert one time by adding it to your browser store or you can accept it every time you try to visit a site. In either way they’re going to decrypt the traffic and re-encrypt it.
FWIW the SSL proxy should only impact asymmetric encryption that uses TLS. It shouldn’t impact symmetric crypto but they can still monitor everything you do by other means. They can watch you and they can block any traffic they desire. Chances are if they’re willing to go far enough to deploy an SSL proxy then they’re probably willing to fire you if you try to bypass it.
It’s good to know that they can’t bypass wireguard or Tor. I was a worried about that.
As others have suggests, I will probably use a separate device to check my mail. That seems the safest and fairest option both from the company and my perspective.
Protecting your traffic over the wire also doesn’t stop them from getting the data directly from the OS or program itself.
It’s their hardware, you’re just allowed to use it (and according to papers you signed when hired, likely only for work use).
My company uses a similar MITM technique on all our network traffic, but we have also used a number of other tools that don’t have the ability to snoop on the network traffic but can still get browsing data from user machines. Most browsers have “enterprise mode” features, or just store browsing history in a file that other programs can read.
We’ve also used systems that installed at the BIOS and/or bootloader level to allow us to track the location of and take certain remote actions on company hardware that was taken off the company network. If the device got an internet connection at all, it was still ours to control. Was very handy for people who tried to keep their laptop after they quit.
Technically they could use OCR on automatic screencaptures, which would bypass anything you could do. There’s a ton of “management” software that does automatic screen captures, or allows someone to look at an overview of desktops like a security guard looking at a bank of camera monitors. Usually that’s something schools use, but it is available for companies.
They could use a keylogger too.
The point is, you cannot control, or have any foolproof knowledge of, what they have installed on your work machine. That means that you cannot effectively work around or bypass it. If you absolutely need to, make a new “personal” email account to use for things like spotify or youtube on your work machine, and just use your damn phone for personal stuff.
I tried opening a browser in a Docker container and but couldn’t browse any site except google because it didn’t recognize the CA authority.
Often gets blocked. I tried on my work and you can’t use any other browser.