Originally Posted by
jetsetter
mauld and others,
If a corporate user accesses a web mail service like Gmail over an encrypted https URL, besides using a key logger on the client pc, what technical methods could be used for the employer to monitor the content of inbound or outbound encrypted web mail messages?
Even if there is a proxy server, log analyzer, packet sniffing, and/or other monitoring tools in place; could the actual content be monitored if the employee is using an encrypted webmail connection?
E.g. they could tell Jane Doe spends 5 hours a day in
https://gmail.com but how could they read what she writes and gets in Gmail without a key logger on her client?
1. Keylogger
2. Camera over your shoulder
3. Creation of a false certificate authority (and installation of that CA on your computer, which isn't hard in a corporate environment) that masquerades as gmail.com and proxies your traffic to the real gmail.com. Your computer thinks it's talking to Gmail but it's actually talking to CorporateServer. Your communication with Gmail is decrypted on CorporateServer, logged/examined, then re-encrypted and sent to the real Gmail.
Note that #3 is nontrivial, but is also perhaps not as hard as some might think. If you have a sophisticated IT department with sufficient reason to want to read your mail, it might not be excessively paranoid.
If you're not spreading corporate secrets but are just chatting with your boyfriend all day, the worry would probably not be so much about what you're saying but that IT might notice you spend all day with an active connection to Gmail. They might start wondering how much actual work you do.