[cryptography] trustwave admits issuing corporate mitm certs

Jeffrey Walton noloader at gmail.com
Sun Feb 12 05:57:02 EST 2012

On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov
<maillists at krassi.biz> wrote:
> While I'm not a lawyer and my opinion is in noway authoritive I do not
> believe there is any violation. They ay be an accessory to a potential
> crime but they themselves did not do the tapping.
> Now on the other hand those companies that did the tapping should be
> OK for as long as they are clear with the employees that they cannot
> expect privacy, which usually is the case. Usually this is in the
> paperwork you sing when you start working there in the section privacy
> policy.
Two questions:

(1) How can a company actively attack a secure channel and tamper with
communications if there are federal laws prohibiting it? It seems to
me they can only take the role of passive adversaries and still comply
with US law,

(2) Did the other end of the SSL/TLS tunnel also agree to be monitored?


> On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back <adam at cypherspace.org> wrote:
>>> So it happened, per recent discussion on this list, it seems that at least
>>> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes.
>>> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972
>>> mozilla is threatening to remove the CA from their browser.  Trustwave says
>>> they have/will revoke all these sub-CAs and will not issue any more.
>>> They also claim in their defense that other CAs are doing this.
>> Evading computer security systems and tampering with communications is
>> a violation of federal law in the US. So says the US Attorney General
>> in New Jersey when he charged Wiseguys Tickets with gaming the
>> TicketMaster systems [1,2]. If the Attorney General is to be believed,
>> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a).
>> Jeff
>> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
>> [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list