[cryptography] trustwave admits issuing corporate mitm certs
iang at iang.org
Sun Feb 12 19:14:43 EST 2012
On 13/02/12 10:53 AM, Marsh Ray wrote:
> On 02/12/2012 10:24 AM, John Levine wrote:
>>>> They also claim in their defense that other CAs are doing this.
>>> Evading computer security systems and tampering with communications is
>>> a violation of federal law in the US.
>> As the article made quite clear, this particular cert was used to
>> monitor traffic on the customer's own network, which is 100% legal
>> absent some contractual agreement with the customers not to do that.
> IANAL by any stretch, but it seems to me that to say something
> is "100% legal" is usually a bit of an overstatement.
> For example, I knew someone who audited network monitoring equipment for
> a retail chain that (as many do) issued credit cards. They were able to
> monitor all kinds of traffic in and out of their network, *except* when
> an employee went to check the balance on their own cards. One could
> imagine all kinds of other protected communication that might happen in
> an employment scenario.
From a tactical legal point of view, I'm come around to Marsh's
original claim that there is enough wiggle room in the policy such that
they can sneak through. The policies typically require ownership or
control to be established. Control can be established over another
person's domain simply by fiat - in my house, all your domains are under
One might be somewhat jaundiced about claiming the All Your Base
defence, but I reckon a good fight could be made in court over it.
Which tactically is enough, as this will be settled.
> What happens if the interception device gets hacked? Even if the keys
> remain in some HSM, the attacker could compromise any machine on the
> inside and route traffic through it. By observing the log messages (as
> Telecomix did on Syria's BlueCoats) he may successfully decrypt some or
> all of the traffic.
> So even if we assume they are intended to be used for good, these
> existence of these MitM certs diminish the effective security of SSL/TLS
> for everyone.
That all above is what CAs are about. And the standard answer to that
is "audit". Which they did.
(I'm not saying the answer is satisfactory, but the context and response
remains the same as far as I can see.)
> As I see it, this could turn into an epic legal meltdown if, say, the
> widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit
> against the companies making interception equipment (or even browser
> vendors like Mozilla). These vendors CAs could be in a bad spot if they
> made public statements that turned out to be contradictory to their
> actual practice.
Yeah, this is where statements start turning out to be false or at least
untenable in company with "trust". Or as I put it, the jaws of trust
just snapped shut:
More information about the cryptography