[cryptography] trustwave admits issuing corporate mitm certs

Krassimir Tzvetanov maillists at krassi.biz
Sun Feb 12 20:51:51 EST 2012

That's an interesting point you are bringing. It would be interesting
to consider what is the precedence of laws/contracts when you have
multiparty agreements.

Speculating here: What would happen if there is a contract between the
Browser manufacturer and the Root owner that is included in the store
of that browser that this cert will only be distributed by the Browser
and be in its cert store if there are not MITM subcerts signed by the
Root owner?

Also at this point would it be OK for the employee to install
unapproved software on the computer?

Things get further complicated by the introduction of "bring your own
device" policies.

At this point becomes very interesting what the implications are. You
have a employee with a private piece of equipment going over the
corporate network (that is tapped).

What happens if the employees accesses gmail on a lunch break? Also
how do you ensure there is no malware infiltrating your network? Or
how do you protect from DLP? Everybody can attach to gmail a sensitive

Sorry, tough questions only... no answers :)


On Sun, Feb 12, 2012 at 5:17 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
> On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote:
>> [Jeffrey Walton <noloader at gmail.com> (2012-02-12 10:57:02 UTC)]
>>> (1) How can a company actively attack a secure channel and tamper with
>>> communications if there are federal laws prohibiting it?
>> IANAL, as they say, but I guess they are acting under the presumption
>> that any communication originating in the company's own is the
>> company's own communication, and so they can do anything they please
>> with it. It could be argued that the notion of "tampering" with your
>> own communications doesn't make sense, and so there is no breach of
>> federal law.
>> I am not defending the above interpretation, nor am I saying for sure
>> that it holds water. But I think it is a reasonable guess, at least
>> that that the company's lawyers will use arguments along those lines
>> (abeit argued in more legalese terms) if they had to defend this
>> practice.
> Although I'm not a lawyer, I've worked with a number of lawyers on the
> wiretap act, and have been studying it for close to 20 years.  I do not
> see any criminal violation.
> 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices
> if "design of such device renders it primarily useful for the purpose of
> the surreptitious interception of wire, oral, or electronic communications".
> Is a private key or certificate a "device"?  Not as I read 18 USC 2510(5)
> (http://www.law.cornell.edu/uscode/text/18/2510).  Paragraph (12) of that
> section would seem to say that intra-company wires aren't covered.  But
> a better explanation of that can be found in Ruel Torres Hernandez, "ECPA
> and online computer privacy", Federal Communications Law Journal, 41(1):17–41,
> November 1988.  He not only concluded that the ECPA did not bar a company
> from monitoring his own devices, he quoted a participant in the law's
> drafting process as saying that that was by intent.  California law bars
> employers from monitoring employee phone calls, but in 1991 a court there
> explicitly ruled that monitoring email was permissible -- or rather, that
> it wasn't barred by a statute that only spoke of phone calls.
> Beyond that, and as noted, employees likely consented in their employment
> agreements, or by clicking through a log-in banner.
> Now -- there may have been a violation of the contract with Mozilla, or
> a violation of non-US law or of some state law.  But I don't think one
> can make a strong case for a violation of US federal law.
>                --Steve Bellovin, https://www.cs.columbia.edu/~smb
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list