8Ara
Privacy related to company VPN
Last week my employer sent me a root cert to access the company’s VPN on my personal iMac. When I am connected to the VPN, I’m aware the VPN server can encrypt/decrypt the traffic, but I have some questions.
- If I am already signed in to an email service before connecting to the VPN and then receive or send an email after connecting, can the VPN server hijack the session from the URLs and payloads of that traffic and have the ability to pull other emails? What about apps that I have logged in (eg: twitter) that ping their servers every now and then; can such traffic enable the VPN owner to access my account as if they had a logged in session?
- Can direct end-to-end encrypted messages services like iMessage, Messenger, etc be decrypted and read by the server? If it can, can the VPN owner only read the messages that are being passed through the VPN?
- When not connected to VPN, does my iMac still make use of the installed cert when using the Internet normally?
- Does the root cert have the ability to collect other device info, offline usage behaviour, message traffic from eg: Slack, Discord, etc and perhaps send a report to the company’s server?
Some of these questions make me sound paranoid, but just intrigued to know how much privacy I am losing. Thanks!
