[cryptography] trustwave admits issuing corporate mitm certs

Krassimir Tzvetanov maillists at krassi.biz
Sun Feb 12 06:28:53 EST 2012


Again, I'm not a lawyer but if somebody legally purchases a gun from
you for a legitimate purpose and then abuse it your are not liable (US
context here).

The same way if somebody purchases this cert to monitor their
employees for data exfiltration (perfectly good reason, if specified
in the privacy policy), thus they are being totally legal. You have no
way of knowing if they abuse the certificate to tap their neighbors
for example.

No on the USC items that were mentioned. They are about "exceeding
access", etc. They would not be exceeding access if it is in the
privacy policy that they can monitor you for X activity.

Best,
Krassimir

On Sun, Feb 12, 2012 at 3:09 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov
> <maillists at krassi.biz> wrote:
>> While I'm not a lawyer and my opinion is in noway authoritive I do not
>> believe there is any violation. They ay be an accessory to a potential
>> crime but they themselves did not do the tapping.
> I think its a bit broader than an accessory since they knoew what the
> company wanted to do. Trustwave was onsite and set the system up -
> they were clearly a co-conspirator. They even bragged about how
> ethical it was because they used an HSM.
>
> Jeff
>
>> On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>>> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back <adam at cypherspace.org> wrote:
>>>> So it happened, per recent discussion on this list, it seems that at least
>>>> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes.
>>>>
>>>> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972
>>>>
>>>> mozilla is threatening to remove the CA from their browser.  Trustwave says
>>>> they have/will revoke all these sub-CAs and will not issue any more.
>>>>
>>>> They also claim in their defense that other CAs are doing this.
>>> Evading computer security systems and tampering with communications is
>>> a violation of federal law in the US. So says the US Attorney General
>>> in New Jersey when he charged Wiseguys Tickets with gaming the
>>> TicketMaster systems [1,2]. If the Attorney General is to be believed,
>>> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a).
>>>
>>> Jeff
>>>
>>> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
>>> [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf



More information about the cryptography mailing list