[cryptography] trustwave admits issuing corporate mitm certs

Marsh Ray marsh at extendedsubset.com
Sun Feb 12 18:53:42 EST 2012


On 02/12/2012 10:24 AM, John Levine wrote:
>>> They also claim in their defense that other CAs are doing this.
>> Evading computer security systems and tampering with communications is
>> a violation of federal law in the US.
>
> As the article made quite clear, this particular cert was used to
> monitor traffic on the customer's own network, which is 100% legal
> absent some contractual agreement with the customers not to do that.

IANAL by any stretch, but it seems to me that to say something
is "100% legal" is usually a bit of an overstatement.

For example, I knew someone who audited network monitoring equipment for 
a retail chain that (as many do) issued credit cards. They were able to 
monitor all kinds of traffic in and out of their network, *except* when 
an employee went to check the balance on their own cards. One could 
imagine all kinds of other protected communication that might happen in 
an employment scenario.

What happens if the interception device gets hacked? Even if the keys 
remain in some HSM, the attacker could compromise any machine on the 
inside and route traffic through it. By observing the log messages (as 
Telecomix did on Syria's BlueCoats) he may successfully decrypt some or 
all of the traffic.

So even if we assume they are intended to be used for good, these 
existence of these MitM certs diminish the effective security of SSL/TLS 
for everyone.

As I see it, this could turn into an epic legal meltdown if, say, the 
widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit 
against the companies making interception equipment (or even browser 
vendors like Mozilla). These vendors CAs could be in a bad spot if they 
made public statements that turned out to be contradictory to their 
actual practice.

- Marsh



More information about the cryptography mailing list