> A browser can still communicate security with any computer out there, regardless of corporate certs, etc. Or do the corporate firewalls block communications that they cannot inspect?
Yes, you’ve got it. Many corporate firewalls require you to install their own root CA certificate and “transparently” intercept and rewrite traffic leaving the network. It looks like you’re negotiating with the external site, but you’re actually doing TLS negotiation with an on-prem proxy that connects to the destination site on your behalf.
I say “transparently” in quotes because it definitely, in practice, breaks things here and there.
I'm sure it's well established practice, and the courts would find it legal, but it seems like fraud. My computer says "I want to connect to my bank, are you my bank?" and the corporate firewall says "yes, I am your bank".
It's not your computer. It's the company's computer and they installed the root certificate on it. For any non-provisioned machine you'd get a certificate error because the corporate-issued certificates are signed by the corporate CA that isn't browser-approved by default.
Yes, you’ve got it. Many corporate firewalls require you to install their own root CA certificate and “transparently” intercept and rewrite traffic leaving the network. It looks like you’re negotiating with the external site, but you’re actually doing TLS negotiation with an on-prem proxy that connects to the destination site on your behalf.
I say “transparently” in quotes because it definitely, in practice, breaks things here and there.