[cryptography] trustwave admits issuing corporate mitm certs

Kevin W. Wall kevin.w.wall at gmail.com
Thu Feb 16 00:21:34 EST 2012


On Wed, Feb 15, 2012 at 12:49 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Sun, Feb 12, 2012 at 8:17 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>>
>> On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote:
>>
>>> [Jeffrey Walton <noloader at gmail.com> (2012-02-12 10:57:02 UTC)]
>>>
>>>> (1) How can a company actively attack a secure channel and tamper with
>>>> communications if there are federal laws prohibiting it?
>>>
>>> IANAL, as they say, but I guess they are acting under the presumption
>>> that any communication originating in the company's own is the
>>> company's own communication, and so they can do anything they please
>>> with it. It could be argued that the notion of "tampering" with your
>>> own communications doesn't make sense, and so there is no breach of
>>> federal law.
>>>
>>> I am not defending the above interpretation, nor am I saying for sure
>>> that it holds water. But I think it is a reasonable guess, at least
>>> that that the company's lawyers will use arguments along those lines
>>> (abeit argued in more legalese terms) if they had to defend this
>>> practice.
>>
>>
>> Although I'm not a lawyer, I've worked with a number of lawyers on the
>> wiretap act, and have been studying it for close to 20 years.  I do not
>> see any criminal violation.

Nor do I. If anything, I think this would be a civil matter.

>> 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices
>> if "design of such device renders it primarily useful for the purpose of
>> the surreptitious interception of wire, oral, or electronic communications".
>> Is a private key or certificate a "device"?  Not as I read 18 USC 2510(5)
>> (http://www.law.cornell.edu/uscode/text/18/2510).  Paragraph (12) of that
>> section would seem to say that intra-company wires aren't covered.  But
>> a better explanation of that can be found in Ruel Torres Hernandez, "ECPA
>> and online computer privacy", Federal Communications Law Journal, 41(1):17–41,
>> November 1988.  He not only concluded that the ECPA did not bar a company
>> from monitoring his own devices, he quoted a participant in the law's
>> drafting process as saying that that was by intent.  California law bars
>> employers from monitoring employee phone calls, but in 1991 a court there
>> explicitly ruled that monitoring email was permissible -- or rather, that
>> it wasn't barred by a statute that only spoke of phone calls.
> I looked at the cited cases. As a layman, I'm not contesting the fact
> that an employer has a right to monitor its employees, and I
> understand why some of the plaintiff positions were undefensible in
> civil court.
>
> I'm talking about violation of US Code and criminal cases. Remember, a
> lot of these corporations wanted harsh regulations for folks breaking
> into their [insecure] networks. Obviously, they don't want to eat
> their own dog food. But some of this stuff is sufficiently broad so
> that their actions are criminal despite their intentions or desires.

I'd agree that their actions are immoral / unethical, but that doesn't
make their actions criminal, especially if their users consent to monitoring
of all company computer and network usage. And, the AUPs that
I've seen at all the companies that I've worked for as both employee
and contractor all make you sign those...otherwise, you won't
be collecting a pay check.

If the company did not inform the employees that they were being
monitored, then _perhaps_ a criminal case might be made based on
illegal wire tap statutes, but I do not not have enough knowledge
to judge that. As they say, IANAL.

> Whether they like or or not (or agree or disagree), they were only
> authorized to transmit traffic.

Perhaps, if you are talking about someone who is merely acting
in the role of provider / carrier of services, but I thought this discussion
was about employee / employer relationships.  Maybe I'm misunderstanding
something that you are trying to communicate.

> Here, I speak of the communications
> between two parties - A and B. When they peeled away SSL/TLS, they
> exceeded their authorization. Even if party A agreed to be monitored,
> I doubt party B also agreed 'a priori,' especially if party B did not
> reside on the same corporate network. Hence a criminal violation of
> federal code.

In some states, both parties do not need to be informed that they are
being monitored...only one of the parties needs to be aware. However,
regardless of that, I don't see how this is any different in principle
if a company decided to install a keystroke logger on your company
PC and take a constant video of your screen? Is that illegal? Probably
not if the employees consent to it. How about if I monitor your
network traffic by decrypting your SSL connection at your PC's endpoint
by some SSL DLL that would leak the SSL master key and record
that and the SSL keystream to some central server? Again, I think
that would only be illegal if employees did not consent to monitoring.

That said, I do think that companies may be in trial from a civil suit
perspective, especially if it had been widely known that the company
had never monitored SSL traffic before and then they started doing
so without informing anyone of the change in policy (despite the
fact that they reserve the right to change the policy at any time
without informing their employees). Courts in the past have
recognized a certain right to have an expectation of privacy.
For instance, courts would probably find a company completely
out of line if they installed surreptious video surveilance in bath
room stalls, even if those bathrooms were for the exclusive
use of employees. Courts might be convinced that a similar
expectation of privacy was implicitly granted by the company if they
had not previously monitored SSL traffic and allowed Internet
access at lunchtime and then all of a sudden they started monitoring
and storing all SSL traffic as well. Courts might be especially
sympathetic if the company did not do due diligence to protect
that data and a bunch of employees' bank account information
got hacked as a result. Again, all hypothetical, but it certainly
seems plausible.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list