Indeed, the real issue here is the use for Apple's Enterprise keys, not the app itself. The parent comment entirely misses the point of the article.

Can you actually do that from a router? Wouldn't you have to put that tls cert on every laptop and phone?

Not only can you not do it from a router, Google's chrome browser is one of the leading reason's why you can't.

however, with the browser extension installed you don't need to - they just read the content after your browser decrypts it.

> Router could mitm and chrome could allow it since they have google CAs in their chain.

That would require Google either sending the traffic back to google and out again (slowing a lot of things down) or Google putting a signed private key on the router themselves (a violation of CA agreements and a remarkably stupid thing to do in general). If they did that it would not be difficult for someone to extract that key and certificate. This would be a huge security breach.

The decryption doesn’t have to happen in real-time since it’s just analytics. Dumping all traffic off to google doubles bandwidth but could be done in a way to minimize slowdown for users.

I agree that it’s a security breach, but it happens all the time. Look at enterprise products like ForcePoint [0] that will do deep inspection on https sessions because they have custom CA installed on enterprise clients. Many companies do this.

Because it’s their router hardware it would be possible to present anyone extracting the intermediate mitm carts and keys. The data are likely sensitive, but that’s what They have already.

Tools like ForcePoint don’t put a “real” CA cert on the device. They typically create a new CA per device, install that into the downstream client CA trusted roots and then generate mitm certs signing with this new cert.

[0] https://www.websense.com/content/support/library/web/hosted/...

This means that Google has the login details for your bank. You are almost definitely in violation of the bank’s ToS by divulging them