[cryptography] trustwave admits issuing corporate mitm certs

John Levine johnl at iecc.com
Sun Feb 12 11:24:25 EST 2012

>> They also claim in their defense that other CAs are doing this.
>Evading computer security systems and tampering with communications is
>a violation of federal law in the US.

As the article made quite clear, this particular cert was used to
monitor traffic on the customer's own network, which is 100% legal
absent some contractual agreement with the customers not to do that.
(In which case it still be a tort, not a crime.)  It's not like the
Ticketmaster case, where the guy was outside Ticketmaster's network,
effectively breaking in to trick them into selling him tickets that
they didn't want to sell him.

I'm not arguing that MITM certificates are a good idea, but they're
not illegal until someone uses them to do something illegal, and I don't
see that here.


More information about the cryptography mailing list