[cryptography] trustwave admits issuing corporate mitm certs

Jeffrey Walton noloader at gmail.com
Wed Feb 15 00:49:55 EST 2012


On Sun, Feb 12, 2012 at 8:17 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>
> On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote:
>
>> [Jeffrey Walton <noloader at gmail.com> (2012-02-12 10:57:02 UTC)]
>>
>>> (1) How can a company actively attack a secure channel and tamper with
>>> communications if there are federal laws prohibiting it?
>>
>> IANAL, as they say, but I guess they are acting under the presumption
>> that any communication originating in the company's own is the
>> company's own communication, and so they can do anything they please
>> with it. It could be argued that the notion of "tampering" with your
>> own communications doesn't make sense, and so there is no breach of
>> federal law.
>>
>> I am not defending the above interpretation, nor am I saying for sure
>> that it holds water. But I think it is a reasonable guess, at least
>> that that the company's lawyers will use arguments along those lines
>> (abeit argued in more legalese terms) if they had to defend this
>> practice.
>
>
> Although I'm not a lawyer, I've worked with a number of lawyers on the
> wiretap act, and have been studying it for close to 20 years.  I do not
> see any criminal violation.
>
> 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices
> if "design of such device renders it primarily useful for the purpose of
> the surreptitious interception of wire, oral, or electronic communications".
> Is a private key or certificate a "device"?  Not as I read 18 USC 2510(5)
> (http://www.law.cornell.edu/uscode/text/18/2510).  Paragraph (12) of that
> section would seem to say that intra-company wires aren't covered.  But
> a better explanation of that can be found in Ruel Torres Hernandez, "ECPA
> and online computer privacy", Federal Communications Law Journal, 41(1):17–41,
> November 1988.  He not only concluded that the ECPA did not bar a company
> from monitoring his own devices, he quoted a participant in the law's
> drafting process as saying that that was by intent.  California law bars
> employers from monitoring employee phone calls, but in 1991 a court there
> explicitly ruled that monitoring email was permissible -- or rather, that
> it wasn't barred by a statute that only spoke of phone calls.
I looked at the cited cases. As a layman, I'm not contesting the fact
that an employer has a right to monitor its employees, and I
understand why some of the plaintiff positions were undefensible in
civil court.

I'm talking about violation of US Code and criminal cases. Remember, a
lot of these corporations wanted harsh regulations for folks breaking
into their [insecure] networks. Obviously, they don't want to eat
their own dog food. But some of this stuff is sufficiently broad so
that their actions are criminal despite their intentions or desires.

Whether they like or or not (or agree or disagree), they were only
authorized to transmit traffic. Here, I speak of the communications
between two parties - A and B. When they peeled away SSL/TLS, they
exceeded their authorization. Even if party A agreed to be monitored,
I doubt party B also agreed 'a priori,' especially if party B did not
reside on the same corporate network. Hence a criminal violation of
federal code.

Anyway, that's how I learned to interpret these things when studying
for my LSATs (the LSATs were an annoying logic game of contrived
scenarios). And I know LSAT study guides and practice tests are a far
cry from the real world, where an afternoon of golf can fix a lot of
problems.

Jeff



More information about the cryptography mailing list