[cryptography] trustwave admits issuing corporate mitm certs

Benjamin Kreuter brk7bx at virginia.edu
Sun Feb 12 09:49:19 EST 2012


On Sun, 12 Feb 2012 05:57:02 -0500
Jeffrey Walton <noloader at gmail.com> wrote:

> On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov
> <maillists at krassi.biz> wrote:
> > While I'm not a lawyer and my opinion is in noway authoritive I do
> > not believe there is any violation. They ay be an accessory to a
> > potential crime but they themselves did not do the tapping.
> >
> > Now on the other hand those companies that did the tapping should be
> > OK for as long as they are clear with the employees that they cannot
> > expect privacy, which usually is the case. Usually this is in the
> > paperwork you sing when you start working there in the section
> > privacy policy.
> Two questions:
> 
> (1) How can a company actively attack a secure channel and tamper with
> communications if there are federal laws prohibiting it? It seems to
> me they can only take the role of passive adversaries and still comply
> with US law,

Plenty of companies install monitoring software on their employees'
workstations and listen to employee phone calls, which is generally
legal:

https://www.privacyrights.org/fs/fs7-work.htm

> (2) Did the other end of the SSL/TLS tunnel also agree to be
> monitored?

Does that matter?

-- Ben



-- 
Benjamin R Kreuter
UVA Computer Science
brk7bx at virginia.edu
KK4FJZ

--

"If large numbers of people are interested in freedom of speech, there
will be freedom of speech, even if the law forbids it; if public
opinion is sluggish, inconvenient minorities will be persecuted, even
if laws exist to protect them." - George Orwell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120212/eb2a152f/attachment.asc>


More information about the cryptography mailing list