Seems t’would be illegal
If I connect to company vpn and buy something online do they now have access to all my personal info
No. VPNs, just like an ISP, can only see what pages you visit, not what you did there.
The company VPN just means you’re using the company network from wherever you are so depending on how they set it up, they probably know you were buying whatever you were buying.
Companies often use internal HTTP proxies or a firewall with SSL inspection, which acts as a man-in-the-middle entity that effectively breaks End-to-End TLS/SSL transport encryption. Your web traffic will be encrypted between you and the company proxy/firewall but the proxy/firewall will establish a new SSL/TLS connection to the target website. This way, companies can inspect, log, filter and block SSL/TLS traffic.
During VPN setup or provisioning of a provided company device (laptop), a SSL/TLS certificate of the company proxy/firewall must be installed typically. So technically, your company may be able to obtain your shopping behaviour, personal and credit card information. It is just unlikely that anyone cares and manually inspects those data points.
And it is not illegal, as you are using your company’s IT infrastructure. During employment, you likely signed and approved this type of network monitoring.
That’s not how VPN’s work. But if you’re using a company laptop then its certainly a possibility.
Correct if the website uses HTTPS (the majority of them). If it uses only plain HTTP, anyone monitoring the connection can see what you see.
Furthermore if using a company-managed machine, they may have monitoring software on the device itself as well, which can reveal much more about your activity than just browsing history.
They would not know if they bought something, sure they visited the site, but unless they know the sites own code and random cart strings on check out…
but unless they know the sites own code and random cart strings on check out…
Not even that. With HTTPS, they would only be able to see the Hostname. They can’t see any query string or information on the link at all. Heck, to summarize, they can’t see the link you are accessing at all.
If the VPN connects to network and all traffic traverses the VPN the company may also have an outbound web proxy that does inspection and then they can see all this. If they do though, they are not going to be going through peoples shopping activity.
If the VPN connects to network and all traffic traverses the VPN the company may also have an outbound web proxy that does inspection and then they can see all this.
No. VPN or not, they have no way to inspect what you are doing. HTTPS encrypts everything except the hostname after the browser sends the request to the Internet. No one listening can see what you are doing. They can have a general idea by just knowing the hostname, but they can’t really see anything.
If the company has a proxy performing SSL inspection then they can see that information. It’s nothing to do with the VPN itself so do with how they route the outbound web traffic that travel over the VPN or local lan. What Is SSL Inspection - How Does It Work? | SEON
Ok. So I checked. It looks like SSL proxies basically install a fake Certificate Authority on a device. This way, they can spoof a fake Certificate of the websites you are visiting. So you end up establishing a SSL connection with the proxy server. Not the website you were trying to access.
However, this is usually configured to only be done with untrusted Certificates for a website they don’t trust.
Hi, yes that’s it, basically the proxy is doing an MITM on the traffic. This is reasonably common in large security corporates where they really want to control data exfiltration. Orgs I have worked for would do this, and it applies to ALL sites other than thinks like common online banking where they wouldn’t consider the bank a risk.