I work on a corporate laptop that has an infamous root CA certicate installed, which allows the company to intercept all my browser traffic and perform a MITM attack.
Ideally, I’d like to use the company laptop to read my own mail, access my NAS in my time off.
I fear that even if I configure containers on that laptop to run alpine + wireguard client + firefox, the traffic would still be decrypted. If so, could you explain how the wireguard handshake could be tampered with?
What about Tor in a container? Would that work or is that pointless as well?
Huge kudos if you also take the time to explain your answer.
Which browser you use won’t really matter. The company is using an SSL proxy and they’re not going to pass your traffic along and let you bypass it. You don’t really get a choice as the end user. You can accept their proxy cert one time by adding it to your browser store or you can accept it every time you try to visit a site. In either way they’re going to decrypt the traffic and re-encrypt it.
FWIW the SSL proxy should only impact asymmetric encryption that uses TLS. It shouldn’t impact symmetric crypto but they can still monitor everything you do by other means. They can watch you and they can block any traffic they desire. Chances are if they’re willing to go far enough to deploy an SSL proxy then they’re probably willing to fire you if you try to bypass it.
It’s good to know that they can’t bypass wireguard or Tor. I was a worried about that.
As others have suggests, I will probably use a separate device to check my mail. That seems the safest and fairest option both from the company and my perspective.