Comment by d4mi3n
6 days ago
While I agree with your reasoning, in my experience any statement where I prepend "hopefully" usually ends up being the worst possible interpretation in practice.
6 days ago
While I agree with your reasoning, in my experience any statement where I prepend "hopefully" usually ends up being the worst possible interpretation in practice.
What I mean is: If a corporate internal website regularly connects to unauthenticated local ports and leaks sensitive data out, that's fully on them.
If they are trying to fingerprint the "private compartment" of a BYOB device, that seems roughly as bad as a non-corporate side doing the same.
100% agree, and fingerprinting BYOB devices would be problematic in a lot of ways.
I'm generally against BYOD programs. They're convenient but usually come from a place of allowing employees access to things without the willingness to take on the cost (both in corp devices and inconvenience of a second phone/tablet/whatever) to run them with a high level of assurance.
Much better in my opinion to use something like PagerDuty or text/push notifications to prompt folks to check a corp device if they have alerts/new emails/whatever.
You can easily click a link e.g. to a blog post on Chrome inside your profile.
E.g. a Jira ticket links to a post on how to do something concurrency related in Python.
I get your point thought that maybe this is no worse than if they visit the site on the personal side.
However I wouldn't trust out lack of imagination on how to exploit this to be happy about the security gap!