[cryptography] trustwave admits issuing corporate mitm certs
marsh at extendedsubset.com
Sun Feb 12 18:53:42 EST 2012
On 02/12/2012 10:24 AM, John Levine wrote:
>>> They also claim in their defense that other CAs are doing this.
>> Evading computer security systems and tampering with communications is
>> a violation of federal law in the US.
> As the article made quite clear, this particular cert was used to
> monitor traffic on the customer's own network, which is 100% legal
> absent some contractual agreement with the customers not to do that.
IANAL by any stretch, but it seems to me that to say something
is "100% legal" is usually a bit of an overstatement.
For example, I knew someone who audited network monitoring equipment for
a retail chain that (as many do) issued credit cards. They were able to
monitor all kinds of traffic in and out of their network, *except* when
an employee went to check the balance on their own cards. One could
imagine all kinds of other protected communication that might happen in
an employment scenario.
What happens if the interception device gets hacked? Even if the keys
remain in some HSM, the attacker could compromise any machine on the
inside and route traffic through it. By observing the log messages (as
Telecomix did on Syria's BlueCoats) he may successfully decrypt some or
all of the traffic.
So even if we assume they are intended to be used for good, these
existence of these MitM certs diminish the effective security of SSL/TLS
As I see it, this could turn into an epic legal meltdown if, say, the
widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit
against the companies making interception equipment (or even browser
vendors like Mozilla). These vendors CAs could be in a bad spot if they
made public statements that turned out to be contradictory to their
More information about the cryptography