Can my company see my gmail?

[madh83]

Just curious, since I'm sure there's a lot of IT ppl here, can e-mails through yahoo or gmail be seen?

 

[seepy83]

Assume they can see everything (that you do on your employers hardware, anyway). There are plenty of corporate-level software suites that take constant screenshots and log keystrokes, and the end-user would never know. It all depends on the employer.

 

[degibson]

Yes.

 

[gsellis]

As noted, maybe. It depends on what they have installed. They can also just capture port 25 traffic too.

Many companies will not let you run another email package inside their network. Their email filters are not set to take corrective action for your email, so they have to trust a third party that may not be trustworthy to clean any attachments or messages from malware. Port 25 will be filtered and some security software will prevent port 25 from opening. This also stops local computers from becoming certain types of botnets. Botnets inside a company can get you blacklisted because of spam traffic.

It is safer to assume that any email you send can be intercepted. So be careful what you put in the message.

 

[kamper]

Originally posted by: gsellis
As noted, maybe. It depends on what they have installed. They can also just capture port 25 traffic too.

Many companies will not let you run another email package inside their network. Their email filters are not set to take corrective action for your email, so they have to trust a third party that may not be trustworthy to clean any attachments or messages from malware. Port 25 will be filtered and some security software will prevent port 25 from opening. This also stops local computers from becoming certain types of botnets. Botnets inside a company can get you blacklisted because of spam traffic.

It is safer to assume that any email you send can be intercepted. So be careful what you put in the message.

I assumed that the op is asking about the web versions of yahoo and gmail. In which case, if you use the https url and iff your company doesn't have sniffing stuff installed on your machine, the only thing they can tell is that you are accessing the mail server, they can't see into it.

Google has been criticized, though, for making their gmail ajax stuff automatically fall back on http when https isn't available (which would include whenever there is network trouble). Tools have actually been written to automatically sniff your google log in creds in situations like when you acquire an ip address at a wireless access point but can't connect to the interwebs until you plug a code into the auth webapp.

In general I find that it's way too easy to accidentally visit an unencrypted google page and pass it your auth cookies. Since your google login is the same for all of their services, the gig's pretty much up when that happens. Although I'd be pretty surprised if your office sniffed your cookies and used them to log into your gmail account...

 

[hans007]

at my last job, some "security guy" went to my desk the day i quit and i had yahoo mail open in my browser and he snooped around since my cookie was logged in. thats actually illegal.


now they can passively monitor anything you are doing on their network. its their network and computers. but they cant actively snoop your email (what happened tome was like if someone sniffed my password and then logged in as me).

at least that is what research i came up with. for me it worked out ok , even though i was pretty mad about it (the place sucked to work for anyway and i was leaving for another job and had given my 2 weeks). since i pointed out it was illegal they just let me go the next day and paid out my last 2 weeks which worked out great.

 

[degibson]

I'll say this as clearly and succinctly as I can:
Assume everything you do on a company's machine can be seen by your employer. There aren't a lot of things that are legitimately impossible for your employer to find. It is their hardware, they can install what they please on it, and they don't have to inform you. That can include keyloggers, screen captures, browser cache monitors... all kinds of things. It doesn't mean that you are being monitored, it means that you don't know and therefore shouldn't take the chance of doing something you don't want you company to know about.

Your rights, as an employee using company property, are nil.

 

[Luden]

The Data Loss Prevention market has been growing exponentially the last few years, depending on your line of work it can be safe to assume that everything is monitored. With that being said I wouldn't worry unless your email activity could be deemed suspicious (emailing documents, customer information, etc).

 

[WobbleWobble]

Originally posted by: kamper
I assumed that the op is asking about the web versions of yahoo and gmail. In which case, if you use the https url and iff your company doesn't have sniffing stuff installed on your machine, the only thing they can tell is that you are accessing the mail server, they can't see into it.

Products such as ProxySG from Blue Coat can actually do SSL interception giving the company full visibility of any HTTPS site.

We're actually in the process of implementing this at our company.

 

[OutHouse]

Products such as ProxySG from Blue Coat can actually do SSL interception giving the company full visibility of any HTTPS site.

We're actually in the process of implementing this at our company.

old thread i know but i am wondering if you implemented this and what you thought.

 

[MrColin]

I assumed that the op is asking about the web versions of yahoo and gmail. In which case, if you use the https url and iff your company doesn't have sniffing stuff installed on your machine, the only thing they can tell is that you are accessing the mail server, they can't see into it.

This is no longer true, it was once. There are off the shelf devices and roll your own FOSS options to do MITM on your own network.

 

[Fox5]

This is no longer true, it was once. There are off the shelf devices and roll your own FOSS options to do MITM on your own network.

I believe these require them to resign the data with their own certificate though. So you'll get a warning unless the certificate is installed on the computer. (if it's a corporate computer, they likely installed a certificate)

 

[KeithP]

Just curious, would it be more secure to use a remote access product such as logmein to access a home computer from work and get your email that way? Just wondering.

-KeithP

 

[ch33zw1z]

Just curious, would it be more secure to use a remote access product such as logmein to access a home computer from work and get your email that way? Just wondering.

-KeithP

Indeed.

Logmein
Teamviewer
SSH+RDP or VNC

all viable options, but will not prevent logging keystrokes. But FFS, do you really want to work for a company that has a stick far enough up their ass they will investigate keystrokes?

 

[Dankk]

Yes.

And no.

If your company seriously has so little trust in their employees that they have to babysit and watch everything you do, then yes. This isn't always the case though.

If you're somewhat technically-inclined, you should be able to tell whether there's corporate monitoring software installed on your computer. Unless it's hidden extremely well, it might be obvious, and it would be even more obvious if you can't visit certain non-work related websites.

I'm fortunate enough to work for a company that doesn't do this. I can browse websites like Anandtech and Reddit while still getting work done, because my boss actually has faith in me. It's a win-win.

 

[Paperlantern]

And no.

If your company seriously has so little trust in their employees that they have to babysit and watch everything you do, then yes. This isn't always the case though.

If you're somewhat technically-inclined, you should be able to tell whether there's corporate monitoring software installed on your computer. Unless it's hidden extremely well, it might be obvious, and it would be even more obvious if you can't visit certain non-work related websites.

I'm fortunate enough to work for a company that doesn't do this. I can browse websites like Anandtech and Reddit while still getting work done, because my boss actually has faith in me. It's a win-win.

This is where I'm at too in my position. The majority of the firm has web mail and a lot of other sites, mostly streaming media to conserve bandwidth, blocked. The IT dept has access to most everything for work purposes, testing, software downloads, virus research, we just can't be subjected to the same filtering that the rest of the firm is, we wouldnt be able to do our jobs effectively. So yes we do have access and I do access gmail sometimes, anandtech and a few other sites, but I do get my work done as well.

It's good to have a trusting boss.

 

[tbtn]

Operate under the assumption that they can. If you're working for a small office they probably don't monitor you (unless you work with classified information).

I guess the real question isn't "can they" but "do they". Because there's always a way to monitor your activities on a company computer.

 

[wirednuts]

Indeed.

Logmein
Teamviewer
SSH+RDP or VNC

all viable options, but will not prevent logging keystrokes. But FFS, do you really want to work for a company that has a stick far enough up their ass they will investigate keystrokes?

SSH+RDP and windows popup keyboard. or use a password program that auto-fills credentials.

 

[PrincessFrosty]

You can't be 100% sure.

Using the web variants of gmail through https protects you against them simply intercepting your messages, however there's nothing to stop them from installing software to capture keystrokes on your PC and either reconstruct what you're doing or just logging in to your account once they capture your credentials.

The best bet is to bring your own device and connect it to the network, a laptop, or mobile device if they have wireless, then as long as you use https all your traffic will be encrypted. That will hide the contents of your messages, but not what sites you're visiting.

 

[DisgruntledVirus]

Can they? Yes.

Will they? Depends on your company how far they will go. Last job at a fortune 500 company had the ability to see sites you visit broken into how long you were there. While that isn't reading my email, I wouldn't be surprised in the lease if they had passive MiTM hardware that recorded everything and stored it for x days.

Current company has the ability to remotely screen shot your system, record/monitor the session, and stuff like that. However I haven't seen it done yet and don't think it would be except in cases where there is some legal reason to (lawsuit against them or to CYA and terminate an employee).

I'd say assume it's all monitored and logged. If you wouldn't want your grandparents seeing what you're doing, then don't do it at work as employers *could* see it and it *could* be used against you. With that said, I personally believe that it's pretty unlikely they will unless you give them a reason to. Most companies don't care that much to devote company resources to actively seeking it out and taking action, instead they fall to the reactive approach to it and use it as a resource if it's needed.

 

[marcamarca]

Assume they can see everything (that you do on your employers hardware, anyway). There are plenty of corporate-level software suites that take constant screenshots and log keystrokes, and the end-user would never know. It all depends on the employer.

Re: assume they can see everything. Ditto.

 

[FrankvanEen]

Technically - most likely yes, specially at big size company, from private data protection law (specially European) - not!

Just curious, since I'm sure there's a lot of IT ppl here, can e-mails through yahoo or gmail be seen?

 

[Dravic]

The Data Loss Prevention market has been growing exponentially the last few years, depending on your line of work it can be safe to assume that everything is monitored. With that being said I wouldn't worry unless your email activity could be deemed suspicious (emailing documents, customer information, etc).

In agreement with Luden here.

As Security professional we have no choice but to monitor everything I possibly can on the network and end point. They easiest way into a corporate network these days is through the desktop. But rest assured I have no urge, nor the time to look at what you send in in your yahoo/gmail. Just be smart and don't send personal information like CC# or SSN out of the corporate network. If you company is in a PCI required field we have to monitor for those items and your personal crap is clogging up my SIEM with false positive alerts

 

[Dravic]

I believe these require them to resign the data with their own certificate though. So you'll get a warning unless the certificate is installed on the computer. (if it's a corporate computer, they likely installed a certificate)

Done every day at the gateway, no warning is generated. Websense is just one vendor that offers HTTPS blind proxy without the end user even knowing it. Most software filters out personal websites like medical and banks, but gmail and things like that are being parsed. It can break applications for sure, but for general web browsing you wont notice much of a difference.

 

[Dravic]

Indeed.

Logmein
Teamviewer
SSH+RDP or VNC

all viable options, but will not prevent logging keystrokes. But FFS, do you really want to work for a company that has a stick far enough up their ass they will investigate keystrokes?

IMHO.. Any company that allows ssh out of its network from the corporate desktop should have their security team replaced.

I check my personal email on my asus epad(cell hotspot) or my rezound directly. I very seldom check anything personal from my corporate network.