• @library_napper
      link
      41 year ago

      Pre installed certs would be a huge vulnerability

      • @ech0@lemmy.world
        link
        fedilink
        -2
        edit-2
        1 year ago

        Uh no? Most organizations use preinstaed certs. They are usually baked into the Windows image for deployment… They are what allow a corporate device to connect to WiFi networks without a password.

        • @Lyricism6055@lemmy.world
          link
          fedilink
          1
          edit-2
          1 year ago

          I’m not sure what you’re saying? Those certs log to somewhere and in my experience HR is nowhere near technically literate enough to monitor and track that stuff.

          Usually a manager asks a sysadmin to watch someone’s stuff, then the sysadmin and manager tell HR what they find.

          We had a contractor spending 90% of his day on reddit who got fired. Hr wouldn’t have been able to pull this info since they don’t have access to the system that tracks it

        • @library_napper
          link
          11 year ago

          RADIUS doesn’t depend on preinstalled certs. But I wouldn’t use Windows anwyay.

        • @jasondj@ttrpg.network
          link
          fedilink
          1
          edit-2
          1 year ago

          All of the “privacy experts” in this sub wouldn’t know a certificate if it bit them in the ass. Most don’t even know of VPNs outside of the “privacy” services hawked by YouTubers.

          Certificates can be used to authenticate machines to wired or wireless. This is true. They are much easier to maintain at scale than pre-shared key, especially when you run an internal CA and can issue or revoke them easily/automatically, and when you run a domain and can push out additional trusted root CAs to endpoints.

          And if you have either an internal CA or a domain (ideally both), it’s very simple to have your firewall or web filter perform man-in-the-middle “attacks”. Most everything nowadays can handle TLS1.2 and many are starting to support TLS1.3. They essentially break open the traffic for inspection and re-sign it with a certificate that your system trusts so there is no error to the user. Some sites and apps have a hard time with this because of HSTS and pinning, but that’s a bit of a tangent.

          I say “attacks” in quotes because they own the hardware and they own the time of the person using it.

          Anyways, don’t do anything on a work computer you wouldn’t want your boss to know about. We usually aren’t actively watching the traffic, but some things are hard to ignore, and sometimes the CEO just wants to know who else has a diaper fetish for “official reasons”.

    • That only applies to work devices. If you’re using your personal device, they would be able to see traffic to/from a dating website but not the actual content.