[cryptography] trustwave admits issuing corporate mitm certs
smb at cs.columbia.edu
Sun Feb 12 20:17:42 EST 2012
On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote:
> [Jeffrey Walton <noloader at gmail.com> (2012-02-12 10:57:02 UTC)]
>> (1) How can a company actively attack a secure channel and tamper with
>> communications if there are federal laws prohibiting it?
> IANAL, as they say, but I guess they are acting under the presumption
> that any communication originating in the company's own is the
> company's own communication, and so they can do anything they please
> with it. It could be argued that the notion of "tampering" with your
> own communications doesn't make sense, and so there is no breach of
> federal law.
> I am not defending the above interpretation, nor am I saying for sure
> that it holds water. But I think it is a reasonable guess, at least
> that that the company's lawyers will use arguments along those lines
> (abeit argued in more legalese terms) if they had to defend this
Although I'm not a lawyer, I've worked with a number of lawyers on the
wiretap act, and have been studying it for close to 20 years. I do not
see any criminal violation.
18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices
if "design of such device renders it primarily useful for the purpose of
the surreptitious interception of wire, oral, or electronic communications".
Is a private key or certificate a "device"? Not as I read 18 USC 2510(5)
(http://www.law.cornell.edu/uscode/text/18/2510). Paragraph (12) of that
section would seem to say that intra-company wires aren't covered. But
a better explanation of that can be found in Ruel Torres Hernandez, "ECPA
and online computer privacy", Federal Communications Law Journal, 41(1):17–41,
November 1988. He not only concluded that the ECPA did not bar a company
from monitoring his own devices, he quoted a participant in the law's
drafting process as saying that that was by intent. California law bars
employers from monitoring employee phone calls, but in 1991 a court there
explicitly ruled that monitoring email was permissible -- or rather, that
it wasn't barred by a statute that only spoke of phone calls.
Beyond that, and as noted, employees likely consented in their employment
agreements, or by clicking through a log-in banner.
Now -- there may have been a violation of the contract with Mozilla, or
a violation of non-US law or of some state law. But I don't think one
can make a strong case for a violation of US federal law.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography