[cryptography] trustwave admits issuing corporate mitm certs

Steven Bellovin smb at cs.columbia.edu
Sun Feb 12 20:17:42 EST 2012

On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote:

> [Jeffrey Walton <noloader at gmail.com> (2012-02-12 10:57:02 UTC)]
>> (1) How can a company actively attack a secure channel and tamper with
>> communications if there are federal laws prohibiting it?
> IANAL, as they say, but I guess they are acting under the presumption
> that any communication originating in the company's own is the
> company's own communication, and so they can do anything they please
> with it. It could be argued that the notion of "tampering" with your
> own communications doesn't make sense, and so there is no breach of
> federal law.
> I am not defending the above interpretation, nor am I saying for sure
> that it holds water. But I think it is a reasonable guess, at least
> that that the company's lawyers will use arguments along those lines
> (abeit argued in more legalese terms) if they had to defend this
> practice.

Although I'm not a lawyer, I've worked with a number of lawyers on the
wiretap act, and have been studying it for close to 20 years.  I do not
see any criminal violation.

18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices
if "design of such device renders it primarily useful for the purpose of 
the surreptitious interception of wire, oral, or electronic communications".
Is a private key or certificate a "device"?  Not as I read 18 USC 2510(5)
(http://www.law.cornell.edu/uscode/text/18/2510).  Paragraph (12) of that
section would seem to say that intra-company wires aren't covered.  But
a better explanation of that can be found in Ruel Torres Hernandez, "ECPA 
and online computer privacy", Federal Communications Law Journal, 41(1):17–41, 
November 1988.  He not only concluded that the ECPA did not bar a company
from monitoring his own devices, he quoted a participant in the law's
drafting process as saying that that was by intent.  California law bars
employers from monitoring employee phone calls, but in 1991 a court there
explicitly ruled that monitoring email was permissible -- or rather, that
it wasn't barred by a statute that only spoke of phone calls.

Beyond that, and as noted, employees likely consented in their employment
agreements, or by clicking through a log-in banner.

Now -- there may have been a violation of the contract with Mozilla, or
a violation of non-US law or of some state law.  But I don't think one
can make a strong case for a violation of US federal law.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list