[cryptography] trustwave admits issuing corporate mitm certs

Jeffrey Walton noloader at gmail.com
Sun Feb 12 06:09:58 EST 2012


On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov
<maillists at krassi.biz> wrote:
> While I'm not a lawyer and my opinion is in noway authoritive I do not
> believe there is any violation. They ay be an accessory to a potential
> crime but they themselves did not do the tapping.
I think its a bit broader than an accessory since they knoew what the
company wanted to do. Trustwave was onsite and set the system up -
they were clearly a co-conspirator. They even bragged about how
ethical it was because they used an HSM.

Jeff

> On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back <adam at cypherspace.org> wrote:
>>> So it happened, per recent discussion on this list, it seems that at least
>>> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes.
>>>
>>> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972
>>>
>>> mozilla is threatening to remove the CA from their browser.  Trustwave says
>>> they have/will revoke all these sub-CAs and will not issue any more.
>>>
>>> They also claim in their defense that other CAs are doing this.
>> Evading computer security systems and tampering with communications is
>> a violation of federal law in the US. So says the US Attorney General
>> in New Jersey when he charged Wiseguys Tickets with gaming the
>> TicketMaster systems [1,2]. If the Attorney General is to be believed,
>> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a).
>>
>> Jeff
>>
>> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
>> [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf



More information about the cryptography mailing list