[cryptography] trustwave admits issuing corporate mitm certs

Kevin W. Wall kevin.w.wall at gmail.com
Sun Feb 12 22:39:21 EST 2012


On Sun, Feb 12, 2012 at 9:52 PM, Nico Williams <nico at cryptonector.com> wrote:
> On Sun, Feb 12, 2012 at 7:51 PM, Krassimir Tzvetanov
> <maillists at krassi.biz> wrote:
>> Sorry, tough questions only... no answers :)
>
> Not really tough.  A good policy is: don't allow personal use of the
> corporate network.  No gmail.  No yahoo.  No employee-owned devices.
> No shopping.  No nothing.  Allow HTTPS only to white-listed sites
> (e.g., vendor software update services, a github or a sourceforge, if
> the company uses open source projects, and so on).
>
> Ten years ago that might have sounded draconian.  Twenty-five years
> ago such a policy would have been unthinkable (user-owned network
> devices?  Internet access?  what are those things?).  But now we have
> 3G and 4G everywhere.  Employees can be connected to the Internet
> without going through their employers' networks.  So why not apply
> such a policy?  I think it's the best approach.  In some cases
> employees may not be allowed even personal devices connected using
> public 3G/4G networks (think of sensitive military / research sites),
> and that would hardly be the end of the world.

This response is a off-topic, but as much as I agree with this, I also
think that it is totally unrealistic. Why? Because there is a ground
swell of BYOD at companies and for the most part, it seems to be
being pushed, not by the techies, but rather by the upper level
executives. And when it gets right down to it, its hard to tell your
CEO or CFO that they may not bring their iPad2 to the office and
connect to the company network, or connect it to the internal
company network through a VPN when they are off-site. So you
had better find a way for them to do it safely and securely or you
will find yourself looking for another job. So we need to find
a way to deal with it as it's only going to get worse.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list