Long time security worker here...here's my two cents.
To answer the original question: How common is it? I don't know the exact stats, but I'd say its common enough that you should just assume the company you work for is doing something like this unless they explicitly say they aren't (which I've read a few posters to this thread have said as much).
From my perspective, theres a major reason why a company would choose to implement such a technical control: to prevent loss of intellectual property or sensitive data. Because of encryption in transit techniques like SSL, it makes it very difficult to inspect such traffic for the presence of things the company is concerned about - things like source code, financial data, credit card info, health care info, etc. What's to stop an employee from emailing out the crown jewels thru their Gmail account, assuming there are permissive web filtering policies in place? One answer is to inspect SSL traffic - and the way you do that is MITM. And not only are companies trying to stop disgruntled employees, they're also trying to stop malware - the trend now is for malware authors these days is to no longer exfiltrate data using clear text protocols like http, but to encrypt it via https.
Keep in mind that a traditional defense in the distant past (10 or so years ago) for security folks has been wire tapping, and connecting the resultant data feed to some kind of inspection engine like an intrusion detection system. Increased use of encryption, both driven by right-thinking consumers and malware authors, defeats such wiretap efforts, so its no longer effective to simply watch the data fly across the network; now security admins (or intrusive nation states) have to find creative ways to decipher it to see what the data looks like. MITM is fairly cheap to do this.
I don't think most companies want to snoop your encrypted traffic outside of the above stated reason. But some companies can/will abuse it and read your emails to see who you're sleeping with, if you have any side businesses going on, if you're looking for another job and sending out your resume, etc.
Slashdot Mirror
Long time security worker here...here's my two cents. To answer the original question: How common is it? I don't know the exact stats, but I'd say its common enough that you should just assume the company you work for is doing something like this unless they explicitly say they aren't (which I've read a few posters to this thread have said as much). From my perspective, theres a major reason why a company would choose to implement such a technical control: to prevent loss of intellectual property or sensitive data. Because of encryption in transit techniques like SSL, it makes it very difficult to inspect such traffic for the presence of things the company is concerned about - things like source code, financial data, credit card info, health care info, etc. What's to stop an employee from emailing out the crown jewels thru their Gmail account, assuming there are permissive web filtering policies in place? One answer is to inspect SSL traffic - and the way you do that is MITM. And not only are companies trying to stop disgruntled employees, they're also trying to stop malware - the trend now is for malware authors these days is to no longer exfiltrate data using clear text protocols like http, but to encrypt it via https. Keep in mind that a traditional defense in the distant past (10 or so years ago) for security folks has been wire tapping, and connecting the resultant data feed to some kind of inspection engine like an intrusion detection system. Increased use of encryption, both driven by right-thinking consumers and malware authors, defeats such wiretap efforts, so its no longer effective to simply watch the data fly across the network; now security admins (or intrusive nation states) have to find creative ways to decipher it to see what the data looks like. MITM is fairly cheap to do this. I don't think most companies want to snoop your encrypted traffic outside of the above stated reason. But some companies can/will abuse it and read your emails to see who you're sleeping with, if you have any side businesses going on, if you're looking for another job and sending out your resume, etc.