I have a question about the legality of doing a successful MITM attack against SSL (server-side authentication only). This is mainly a USA only question. Although Europe and Japan is of interest too. This is not a CALEA or ETSI type of situation.

If the SSL connection is traversing an enterprise or a common carrier is it legal for that party to perform a MITM against it in order to examine the encrypted information?

My reading of the US Federal wiretap laws seems to indicate that this is ok if one of the
following conditions exists:
1. The enterprise/carrier posts a notice that all SSL connections are subject to inspection. 2. The enterprise/carrier notifies one or both parties of the SSL connection that inspection
    is taking place.
3. The enterprise/carrier examines the SSL to prevent DoS/DDoS/Worm/Phishing attacks
    or to do QoS (load balancing, bandwidth shaping, etc).

I don't think wire fraud laws are involved, even though a properly signed yet fake X.509 PKI certificate is sent to the browser by the MITM enterprise/carrier pretending to be the destination site in order to extract the encryption keys used to encrypt the
SSL connection.

Any lawyers out there who would know how to interpret US federal law regarding
this area? (European/Japan, or other rule-of-law type countries are of interest too.)


- Alex

Alex Alten

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to