Re: [cryptography] trustwave admits issuing corporate mitm certs
I'm sure the trend is currently the other way, yes, but with low-cost high-bandwidth wireless becoming more common it doesn't really matter, does it? And it all depends on the organization and it's risk taking profile. But to bring this back on topic: I'd rather see "draconian" corporate network access rules than MITMing CAs. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Feb 12, 2012, at 10:26 46PM, Nico Williams wrote: > On Sun, Feb 12, 2012 at 9:13 PM, Krassimir Tzvetanov > wrote: >> I agree, I'm just reflecting on the reality... :( > > Reality is actually as I described, at least for some shops that I'm > familiar with. > The trend is the other way, towards allowing (and even encouraging) employee-owned devices. If nothing else, it saves the company money. It also lets you get more work out of employees if they can deal with management requests from their personal iToys or Andtoys. The trick is to manage this behavior; banning it tends to be futile. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 9:52 PM, Nico Williams wrote: > On Sun, Feb 12, 2012 at 7:51 PM, Krassimir Tzvetanov > wrote: >> Sorry, tough questions only... no answers :) > > Not really tough. A good policy is: don't allow personal use of the > corporate network. No gmail. No yahoo. No employee-owned devices. > No shopping. No nothing. Allow HTTPS only to white-listed sites > (e.g., vendor software update services, a github or a sourceforge, if > the company uses open source projects, and so on). > > Ten years ago that might have sounded draconian. Twenty-five years > ago such a policy would have been unthinkable (user-owned network > devices? Internet access? what are those things?). But now we have > 3G and 4G everywhere. Employees can be connected to the Internet > without going through their employers' networks. So why not apply > such a policy? I think it's the best approach. In some cases > employees may not be allowed even personal devices connected using > public 3G/4G networks (think of sensitive military / research sites), > and that would hardly be the end of the world. This response is a off-topic, but as much as I agree with this, I also think that it is totally unrealistic. Why? Because there is a ground swell of BYOD at companies and for the most part, it seems to be being pushed, not by the techies, but rather by the upper level executives. And when it gets right down to it, its hard to tell your CEO or CFO that they may not bring their iPad2 to the office and connect to the company network, or connect it to the internal company network through a VPN when they are off-site. So you had better find a way for them to do it safely and securely or you will find yourself looking for another job. So we need to find a way to deal with it as it's only going to get worse. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents." -- Nathaniel Borenstein ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 9:13 PM, Krassimir Tzvetanov wrote: > I agree, I'm just reflecting on the reality... :( Reality is actually as I described, at least for some shops that I'm familiar with. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
I agree, I'm just reflecting on the reality... :( On Sun, Feb 12, 2012 at 6:52 PM, Nico Williams wrote: > On Sun, Feb 12, 2012 at 7:51 PM, Krassimir Tzvetanov > wrote: >> Sorry, tough questions only... no answers :) > > Not really tough. A good policy is: don't allow personal use of the > corporate network. No gmail. No yahoo. No employee-owned devices. > No shopping. No nothing. Allow HTTPS only to white-listed sites > (e.g., vendor software update services, a github or a sourceforge, if > the company uses open source projects, and so on). > > Ten years ago that might have sounded draconian. Twenty-five years > ago such a policy would have been unthinkable (user-owned network > devices? Internet access? what are those things?). But now we have > 3G and 4G everywhere. Employees can be connected to the Internet > without going through their employers' networks. So why not apply > such a policy? I think it's the best approach. In some cases > employees may not be allowed even personal devices connected using > public 3G/4G networks (think of sensitive military / research sites), > and that would hardly be the end of the world. > > Nico > -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 7:51 PM, Krassimir Tzvetanov wrote: > Sorry, tough questions only... no answers :) Not really tough. A good policy is: don't allow personal use of the corporate network. No gmail. No yahoo. No employee-owned devices. No shopping. No nothing. Allow HTTPS only to white-listed sites (e.g., vendor software update services, a github or a sourceforge, if the company uses open source projects, and so on). Ten years ago that might have sounded draconian. Twenty-five years ago such a policy would have been unthinkable (user-owned network devices? Internet access? what are those things?). But now we have 3G and 4G everywhere. Employees can be connected to the Internet without going through their employers' networks. So why not apply such a policy? I think it's the best approach. In some cases employees may not be allowed even personal devices connected using public 3G/4G networks (think of sensitive military / research sites), and that would hardly be the end of the world. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
That's an interesting point you are bringing. It would be interesting to consider what is the precedence of laws/contracts when you have multiparty agreements. Speculating here: What would happen if there is a contract between the Browser manufacturer and the Root owner that is included in the store of that browser that this cert will only be distributed by the Browser and be in its cert store if there are not MITM subcerts signed by the Root owner? Also at this point would it be OK for the employee to install unapproved software on the computer? Things get further complicated by the introduction of "bring your own device" policies. At this point becomes very interesting what the implications are. You have a employee with a private piece of equipment going over the corporate network (that is tapped). What happens if the employees accesses gmail on a lunch break? Also how do you ensure there is no malware infiltrating your network? Or how do you protect from DLP? Everybody can attach to gmail a sensitive document... Sorry, tough questions only... no answers :) KTT On Sun, Feb 12, 2012 at 5:17 PM, Steven Bellovin wrote: > > On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote: > >> [Jeffrey Walton (2012-02-12 10:57:02 UTC)] >> >>> (1) How can a company actively attack a secure channel and tamper with >>> communications if there are federal laws prohibiting it? >> >> IANAL, as they say, but I guess they are acting under the presumption >> that any communication originating in the company's own is the >> company's own communication, and so they can do anything they please >> with it. It could be argued that the notion of "tampering" with your >> own communications doesn't make sense, and so there is no breach of >> federal law. >> >> I am not defending the above interpretation, nor am I saying for sure >> that it holds water. But I think it is a reasonable guess, at least >> that that the company's lawyers will use arguments along those lines >> (abeit argued in more legalese terms) if they had to defend this >> practice. > > > Although I'm not a lawyer, I've worked with a number of lawyers on the > wiretap act, and have been studying it for close to 20 years. I do not > see any criminal violation. > > 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices > if "design of such device renders it primarily useful for the purpose of > the surreptitious interception of wire, oral, or electronic communications". > Is a private key or certificate a "device"? Not as I read 18 USC 2510(5) > (http://www.law.cornell.edu/uscode/text/18/2510). Paragraph (12) of that > section would seem to say that intra-company wires aren't covered. But > a better explanation of that can be found in Ruel Torres Hernandez, "ECPA > and online computer privacy", Federal Communications Law Journal, 41(1):17–41, > November 1988. He not only concluded that the ECPA did not bar a company > from monitoring his own devices, he quoted a participant in the law's > drafting process as saying that that was by intent. California law bars > employers from monitoring employee phone calls, but in 1991 a court there > explicitly ruled that monitoring email was permissible -- or rather, that > it wasn't barred by a statute that only spoke of phone calls. > > Beyond that, and as noted, employees likely consented in their employment > agreements, or by clicking through a log-in banner. > > Now -- there may have been a violation of the contract with Mozilla, or > a violation of non-US law or of some state law. But I don't think one > can make a strong case for a violation of US federal law. > > --Steve Bellovin, https://www.cs.columbia.edu/~smb > > > > > > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote: > [Jeffrey Walton (2012-02-12 10:57:02 UTC)] > >> (1) How can a company actively attack a secure channel and tamper with >> communications if there are federal laws prohibiting it? > > IANAL, as they say, but I guess they are acting under the presumption > that any communication originating in the company's own is the > company's own communication, and so they can do anything they please > with it. It could be argued that the notion of "tampering" with your > own communications doesn't make sense, and so there is no breach of > federal law. > > I am not defending the above interpretation, nor am I saying for sure > that it holds water. But I think it is a reasonable guess, at least > that that the company's lawyers will use arguments along those lines > (abeit argued in more legalese terms) if they had to defend this > practice. Although I'm not a lawyer, I've worked with a number of lawyers on the wiretap act, and have been studying it for close to 20 years. I do not see any criminal violation. 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices if "design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications". Is a private key or certificate a "device"? Not as I read 18 USC 2510(5) (http://www.law.cornell.edu/uscode/text/18/2510). Paragraph (12) of that section would seem to say that intra-company wires aren't covered. But a better explanation of that can be found in Ruel Torres Hernandez, "ECPA and online computer privacy", Federal Communications Law Journal, 41(1):17–41, November 1988. He not only concluded that the ECPA did not bar a company from monitoring his own devices, he quoted a participant in the law's drafting process as saying that that was by intent. California law bars employers from monitoring employee phone calls, but in 1991 a court there explicitly ruled that monitoring email was permissible -- or rather, that it wasn't barred by a statute that only spoke of phone calls. Beyond that, and as noted, employees likely consented in their employment agreements, or by clicking through a log-in banner. Now -- there may have been a violation of the contract with Mozilla, or a violation of non-US law or of some state law. But I don't think one can make a strong case for a violation of US federal law. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 13/02/12 10:53 AM, Marsh Ray wrote: On 02/12/2012 10:24 AM, John Levine wrote: They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. As the article made quite clear, this particular cert was used to monitor traffic on the customer's own network, which is 100% legal absent some contractual agreement with the customers not to do that. IANAL by any stretch, but it seems to me that to say something is "100% legal" is usually a bit of an overstatement. For example, I knew someone who audited network monitoring equipment for a retail chain that (as many do) issued credit cards. They were able to monitor all kinds of traffic in and out of their network, *except* when an employee went to check the balance on their own cards. One could imagine all kinds of other protected communication that might happen in an employment scenario. From a tactical legal point of view, I'm come around to Marsh's original claim that there is enough wiggle room in the policy such that they can sneak through. The policies typically require ownership or control to be established. Control can be established over another person's domain simply by fiat - in my house, all your domains are under my control. One might be somewhat jaundiced about claiming the All Your Base defence, but I reckon a good fight could be made in court over it. Which tactically is enough, as this will be settled. What happens if the interception device gets hacked? Even if the keys remain in some HSM, the attacker could compromise any machine on the inside and route traffic through it. By observing the log messages (as Telecomix did on Syria's BlueCoats) he may successfully decrypt some or all of the traffic. So even if we assume they are intended to be used for good, these existence of these MitM certs diminish the effective security of SSL/TLS for everyone. That all above is what CAs are about. And the standard answer to that is "audit". Which they did. (I'm not saying the answer is satisfactory, but the context and response remains the same as far as I can see.) As I see it, this could turn into an epic legal meltdown if, say, the widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit against the companies making interception equipment (or even browser vendors like Mozilla). These vendors CAs could be in a bad spot if they made public statements that turned out to be contradictory to their actual practice. Yeah, this is where statements start turning out to be false or at least untenable in company with "trust". Or as I put it, the jaws of trust just snapped shut: http://financialcryptography.com/mt/archives/001359.html iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On 02/12/2012 10:24 AM, John Levine wrote: They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. As the article made quite clear, this particular cert was used to monitor traffic on the customer's own network, which is 100% legal absent some contractual agreement with the customers not to do that. IANAL by any stretch, but it seems to me that to say something is "100% legal" is usually a bit of an overstatement. For example, I knew someone who audited network monitoring equipment for a retail chain that (as many do) issued credit cards. They were able to monitor all kinds of traffic in and out of their network, *except* when an employee went to check the balance on their own cards. One could imagine all kinds of other protected communication that might happen in an employment scenario. What happens if the interception device gets hacked? Even if the keys remain in some HSM, the attacker could compromise any machine on the inside and route traffic through it. By observing the log messages (as Telecomix did on Syria's BlueCoats) he may successfully decrypt some or all of the traffic. So even if we assume they are intended to be used for good, these existence of these MitM certs diminish the effective security of SSL/TLS for everyone. As I see it, this could turn into an epic legal meltdown if, say, the widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit against the companies making interception equipment (or even browser vendors like Mozilla). These vendors CAs could be in a bad spot if they made public statements that turned out to be contradictory to their actual practice. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
>> They also claim in their defense that other CAs are doing this. >Evading computer security systems and tampering with communications is >a violation of federal law in the US. As the article made quite clear, this particular cert was used to monitor traffic on the customer's own network, which is 100% legal absent some contractual agreement with the customers not to do that. (In which case it still be a tort, not a crime.) It's not like the Ticketmaster case, where the guy was outside Ticketmaster's network, effectively breaking in to trick them into selling him tickets that they didn't want to sell him. I'm not arguing that MITM certificates are a good idea, but they're not illegal until someone uses them to do something illegal, and I don't see that here. R's, John ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, 12 Feb 2012 05:57:02 -0500 Jeffrey Walton wrote: > On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov > wrote: > > While I'm not a lawyer and my opinion is in noway authoritive I do > > not believe there is any violation. They ay be an accessory to a > > potential crime but they themselves did not do the tapping. > > > > Now on the other hand those companies that did the tapping should be > > OK for as long as they are clear with the employees that they cannot > > expect privacy, which usually is the case. Usually this is in the > > paperwork you sing when you start working there in the section > > privacy policy. > Two questions: > > (1) How can a company actively attack a secure channel and tamper with > communications if there are federal laws prohibiting it? It seems to > me they can only take the role of passive adversaries and still comply > with US law, Plenty of companies install monitoring software on their employees' workstations and listen to employee phone calls, which is generally legal: https://www.privacyrights.org/fs/fs7-work.htm > (2) Did the other end of the SSL/TLS tunnel also agree to be > monitored? Does that matter? -- Ben -- Benjamin R Kreuter UVA Computer Science brk...@virginia.edu KK4FJZ -- "If large numbers of people are interested in freedom of speech, there will be freedom of speech, even if the law forbids it; if public opinion is sluggish, inconvenient minorities will be persecuted, even if laws exist to protect them." - George Orwell signature.asc Description: PGP signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
[Jeffrey Walton (2012-02-12 10:57:02 UTC)] > (1) How can a company actively attack a secure channel and tamper with > communications if there are federal laws prohibiting it? IANAL, as they say, but I guess they are acting under the presumption that any communication originating in the company's own is the company's own communication, and so they can do anything they please with it. It could be argued that the notion of "tampering" with your own communications doesn't make sense, and so there is no breach of federal law. I am not defending the above interpretation, nor am I saying for sure that it holds water. But I think it is a reasonable guess, at least that that the company's lawyers will use arguments along those lines (abeit argued in more legalese terms) if they had to defend this practice. > (2) Did the other end of the SSL/TLS tunnel also agree to be monitored? Rhetorical question? The obvious answer is "no". - Harald ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
Again, I'm not a lawyer but if somebody legally purchases a gun from you for a legitimate purpose and then abuse it your are not liable (US context here). The same way if somebody purchases this cert to monitor their employees for data exfiltration (perfectly good reason, if specified in the privacy policy), thus they are being totally legal. You have no way of knowing if they abuse the certificate to tap their neighbors for example. No on the USC items that were mentioned. They are about "exceeding access", etc. They would not be exceeding access if it is in the privacy policy that they can monitor you for X activity. Best, Krassimir On Sun, Feb 12, 2012 at 3:09 AM, Jeffrey Walton wrote: > On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov > wrote: >> While I'm not a lawyer and my opinion is in noway authoritive I do not >> believe there is any violation. They ay be an accessory to a potential >> crime but they themselves did not do the tapping. > I think its a bit broader than an accessory since they knoew what the > company wanted to do. Trustwave was onsite and set the system up - > they were clearly a co-conspirator. They even bragged about how > ethical it was because they used an HSM. > > Jeff > >> On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton wrote: >>> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back wrote: So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. >>> Evading computer security systems and tampering with communications is >>> a violation of federal law in the US. So says the US Attorney General >>> in New Jersey when he charged Wiseguys Tickets with gaming the >>> TicketMaster systems [1,2]. If the Attorney General is to be believed, >>> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). >>> >>> Jeff >>> >>> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ >>> [2] >>> http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov wrote: > While I'm not a lawyer and my opinion is in noway authoritive I do not > believe there is any violation. They ay be an accessory to a potential > crime but they themselves did not do the tapping. I think its a bit broader than an accessory since they knoew what the company wanted to do. Trustwave was onsite and set the system up - they were clearly a co-conspirator. They even bragged about how ethical it was because they used an HSM. Jeff > On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton wrote: >> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back wrote: >>> So it happened, per recent discussion on this list, it seems that at least >>> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. >>> >>> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 >>> >>> mozilla is threatening to remove the CA from their browser. Trustwave says >>> they have/will revoke all these sub-CAs and will not issue any more. >>> >>> They also claim in their defense that other CAs are doing this. >> Evading computer security systems and tampering with communications is >> a violation of federal law in the US. So says the US Attorney General >> in New Jersey when he charged Wiseguys Tickets with gaming the >> TicketMaster systems [1,2]. If the Attorney General is to be believed, >> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). >> >> Jeff >> >> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ >> [2] >> http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 5:43 AM, Krassimir Tzvetanov wrote: > While I'm not a lawyer and my opinion is in noway authoritive I do not > believe there is any violation. They ay be an accessory to a potential > crime but they themselves did not do the tapping. > > Now on the other hand those companies that did the tapping should be > OK for as long as they are clear with the employees that they cannot > expect privacy, which usually is the case. Usually this is in the > paperwork you sing when you start working there in the section privacy > policy. Two questions: (1) How can a company actively attack a secure channel and tamper with communications if there are federal laws prohibiting it? It seems to me they can only take the role of passive adversaries and still comply with US law, (2) Did the other end of the SSL/TLS tunnel also agree to be monitored? Jeff > On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton wrote: >> On Sun, Feb 12, 2012 at 4:04 AM, Adam Back wrote: >>> So it happened, per recent discussion on this list, it seems that at least >>> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. >>> >>> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 >>> >>> mozilla is threatening to remove the CA from their browser. Trustwave says >>> they have/will revoke all these sub-CAs and will not issue any more. >>> >>> They also claim in their defense that other CAs are doing this. >> Evading computer security systems and tampering with communications is >> a violation of federal law in the US. So says the US Attorney General >> in New Jersey when he charged Wiseguys Tickets with gaming the >> TicketMaster systems [1,2]. If the Attorney General is to be believed, >> Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). >> >> Jeff >> >> [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ >> [2] >> http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf >> ___ >> cryptography mailing list >> cryptography@randombit.net >> http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
[Krassimir Tzvetanov (2012-02-12 10:43:11 UTC)] > Usually this is in the paperwork you sing when you start working there [...] This is an aspect of American work culture that I was totally unaware of. Does it imply that unmusical people can't get a job in the US? - Harald ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
While I'm not a lawyer and my opinion is in noway authoritive I do not believe there is any violation. They ay be an accessory to a potential crime but they themselves did not do the tapping. Now on the other hand those companies that did the tapping should be OK for as long as they are clear with the employees that they cannot expect privacy, which usually is the case. Usually this is in the paperwork you sing when you start working there in the section privacy policy. KTT On Sun, Feb 12, 2012 at 1:27 AM, Jeffrey Walton wrote: > On Sun, Feb 12, 2012 at 4:04 AM, Adam Back wrote: >> So it happened, per recent discussion on this list, it seems that at least >> one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. >> >> http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 >> >> mozilla is threatening to remove the CA from their browser. Trustwave says >> they have/will revoke all these sub-CAs and will not issue any more. >> >> They also claim in their defense that other CAs are doing this. > Evading computer security systems and tampering with communications is > a violation of federal law in the US. So says the US Attorney General > in New Jersey when he charged Wiseguys Tickets with gaming the > TicketMaster systems [1,2]. If the Attorney General is to be believed, > Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). > > Jeff > > [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ > [2] > http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf > ___ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] trustwave admits issuing corporate mitm certs
On Sun, Feb 12, 2012 at 4:04 AM, Adam Back wrote: > So it happened, per recent discussion on this list, it seems that at least > one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. > > http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 > > mozilla is threatening to remove the CA from their browser. Trustwave says > they have/will revoke all these sub-CAs and will not issue any more. > > They also claim in their defense that other CAs are doing this. Evading computer security systems and tampering with communications is a violation of federal law in the US. So says the US Attorney General in New Jersey when he charged Wiseguys Tickets with gaming the TicketMaster systems [1,2]. If the Attorney General is to be believed, Trustwave (et al) violated 18 USC 1030 (a) (4) and 1030 (c) (3) (a). Jeff [1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/ [2] http://www.wired.com/images_blogs/threatlevel/2010/03/wiseguys-indictment-filed.pdf ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] trustwave admits issuing corporate mitm certs
So it happened, per recent discussion on this list, it seems that at least one CA *has* been issuing sub-CA certs for corporate use in mitm boxes. http://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972 mozilla is threatening to remove the CA from their browser. Trustwave says they have/will revoke all these sub-CAs and will not issue any more. They also claim in their defense that other CAs are doing this. Adam ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
