[cryptography] trustwave admits issuing corporate mitm certs

Nico Williams nico at cryptonector.com
Sun Feb 12 21:52:51 EST 2012


On Sun, Feb 12, 2012 at 7:51 PM, Krassimir Tzvetanov
<maillists at krassi.biz> wrote:
> Sorry, tough questions only... no answers :)

Not really tough.  A good policy is: don't allow personal use of the
corporate network.  No gmail.  No yahoo.  No employee-owned devices.
No shopping.  No nothing.  Allow HTTPS only to white-listed sites
(e.g., vendor software update services, a github or a sourceforge, if
the company uses open source projects, and so on).

Ten years ago that might have sounded draconian.  Twenty-five years
ago such a policy would have been unthinkable (user-owned network
devices?  Internet access?  what are those things?).  But now we have
3G and 4G everywhere.  Employees can be connected to the Internet
without going through their employers' networks.  So why not apply
such a policy?  I think it's the best approach.  In some cases
employees may not be allowed even personal devices connected using
public 3G/4G networks (think of sensitive military / research sites),
and that would hardly be the end of the world.

Nico
--



More information about the cryptography mailing list