Company VPN (tunnelblick), https, root CA and privacy



  • My company provided me with a MacBook for work. I was the one that took the laptop out of the sealed box and I was the one to set it up. I only had to install the tunnelblick VPN client and use the tunnelblick (certificate) file (fileName.tblk) that was explicitly generated for me. No other IT/administration/device management software or anything else in that regard was/is installed.

    I'm now considering to sign in with my private Apple Id and use my passwort manager on that device (for convience), because I'm pretty sure that in my case they are not able to access any information even if I'm connected to the VPN, except for the websites that I connect to (which I don't mind them knowing).

    Am I correct in my assumption? I know that it is possible to install a root CA to apply MITM attacks to circumvent the VPN limitations, however I couldn't find anything if that is even possible with tunnelblick. I didn't see any abnormalies with the certificates of the websites that I checked in my browser (e.g. google was still certified by GTS)



  • tunnelblick seems like a simple p2p VPN that establishes a secure connection. However if all your traffic is routed through the organizations' DC rather than split tunnel configuration they might have a web gateway acting as a MITM. You can relatively easily check this by checking the certificate of common websites you use. If it's the original certificate there's probably no MITM.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2