Very common in these circles (banking), and in most places it is even forbidden to log in to your private accounts from a company network. The popular options (eg. gmail, social media) are obviously blocked. This makes sense on multiple levels, for example stops you just uploading internal documents to your private account...
Mitm is done via the proxy, which has its own SSL certificate, using company CA, so anything you send or receive is obviously captured and repackaged by the proxy. One more reason not to do anything related to your private life on company systems. TBH it is not that big a deal in this age of tablets and mobile phones and mobile subscriptions.
A bit more annoying is the blocking of Stackoverflow, for example (you can read stuff, but you can't post / ask), for this reason internal QA sites exist, with more or less success.
And by far the most annoying thing is that you cannot post to HN, well, at least it is not univserally blocked, otherwise you wouldn't be reading this post now... :)
At a prior company, this was the case. If you wanted to access a personal website, they had a fleet of repurposed Citrix servers running Windows Server 2012 that had nothing but Internet Explorer, Chrome and Firefox for this purpose. The account you used was ephemeral and wiped after 4 hours of inactivity with the servers located in the company DMZ. You had full access (less the usual NSFW filters). You could not browse anything that was not whitelisted through your local computer and even then, it all passed through a proxy to make sure it was safe.
You also couldn't use unapproved tools so you were limited to VS Code and PuTTY on Windows.
Eventually they got smart and issued Macbook pros to programmers and implemented zero-trust policies for related internal services. Unfortunately, technical managers and product managers were not so lucky.
>A bit more annoying is the blocking of Stackoverflow
If you care about your organization you would stop using stackoverflow. The license on stackoverflow responses are CC-SA. How many are copy and pasting these stackoverflow responses directly into their proprietary code base? Even reading the responses could taint your codebase.. but I haven't seen that level of litigation in 20 years
It's pretty common for corporate networks to have MITM devices snooping on all traffic by default (usually exceptions are made for known medical sites and for high-bandwidth traffic like YT). This is a big enough use-case that special provisions were made for it in TLS 1.3.
Normally not, but: to make the MITM work, your PC is pre-configured to trust the company's certificate authority as a trusted root. This is not a per-connection setting, it's a global setting in your browser(s) & OS. So, IF they have a technical way to intercept your traffic even if not connected to the VPN, this will keep working.
Of course, in some other cases, a client proxy is configured instead of/in addition to a VPN, in which case obviously all your traffic will be sent to this proxy before reaching the internet.
If you are using hardware provided by the firm, you ARE on the VPN. If not, network is blocked (as are all private hardware items like pen drives, for obvious reasons).
This one is the most out there for me. How common is that?