[cryptography] trustwave admits issuing corporate mitm certs

Harald Hanche-Olsen hanche at math.ntnu.no
Sun Feb 12 06:31:07 EST 2012


[Jeffrey Walton <noloader at gmail.com> (2012-02-12 10:57:02 UTC)]

> (1) How can a company actively attack a secure channel and tamper with
> communications if there are federal laws prohibiting it?

IANAL, as they say, but I guess they are acting under the presumption
that any communication originating in the company's own is the
company's own communication, and so they can do anything they please
with it. It could be argued that the notion of "tampering" with your
own communications doesn't make sense, and so there is no breach of
federal law.

I am not defending the above interpretation, nor am I saying for sure
that it holds water. But I think it is a reasonable guess, at least
that that the company's lawyers will use arguments along those lines
(abeit argued in more legalese terms) if they had to defend this
practice.

> (2) Did the other end of the SSL/TLS tunnel also agree to be monitored?

Rhetorical question? The obvious answer is "no".

- Harald



More information about the cryptography mailing list