[cryptography] trustwave admits issuing corporate mitm certs

Krassimir Tzvetanov maillists at krassi.biz
Sun Feb 12 22:13:32 EST 2012


I agree, I'm just reflecting on the reality... :(

On Sun, Feb 12, 2012 at 6:52 PM, Nico Williams <nico at cryptonector.com> wrote:
> On Sun, Feb 12, 2012 at 7:51 PM, Krassimir Tzvetanov
> <maillists at krassi.biz> wrote:
>> Sorry, tough questions only... no answers :)
>
> Not really tough.  A good policy is: don't allow personal use of the
> corporate network.  No gmail.  No yahoo.  No employee-owned devices.
> No shopping.  No nothing.  Allow HTTPS only to white-listed sites
> (e.g., vendor software update services, a github or a sourceforge, if
> the company uses open source projects, and so on).
>
> Ten years ago that might have sounded draconian.  Twenty-five years
> ago such a policy would have been unthinkable (user-owned network
> devices?  Internet access?  what are those things?).  But now we have
> 3G and 4G everywhere.  Employees can be connected to the Internet
> without going through their employers' networks.  So why not apply
> such a policy?  I think it's the best approach.  In some cases
> employees may not be allowed even personal devices connected using
> public 3G/4G networks (think of sensitive military / research sites),
> and that would hardly be the end of the world.
>
> Nico
> --



More information about the cryptography mailing list