On 13/02/12 10:53 AM, Marsh Ray wrote:
On 02/12/2012 10:24 AM, John Levine wrote:
They also claim in their defense that other CAs are doing this.
Evading computer security systems and tampering with communications is
a violation of federal law in the US.
As the article made quite clear, this particular cert was used to
monitor traffic on the customer's own network, which is 100% legal
absent some contractual agreement with the customers not to do that.
IANAL by any stretch, but it seems to me that to say something
is "100% legal" is usually a bit of an overstatement.
For example, I knew someone who audited network monitoring equipment for
a retail chain that (as many do) issued credit cards. They were able to
monitor all kinds of traffic in and out of their network, *except* when
an employee went to check the balance on their own cards. One could
imagine all kinds of other protected communication that might happen in
an employment scenario.
From a tactical legal point of view, I'm come around to Marsh's
original claim that there is enough wiggle room in the policy such that
they can sneak through. The policies typically require ownership or
control to be established. Control can be established over another
person's domain simply by fiat - in my house, all your domains are under
my control.
One might be somewhat jaundiced about claiming the All Your Base
defence, but I reckon a good fight could be made in court over it.
Which tactically is enough, as this will be settled.
What happens if the interception device gets hacked? Even if the keys
remain in some HSM, the attacker could compromise any machine on the
inside and route traffic through it. By observing the log messages (as
Telecomix did on Syria's BlueCoats) he may successfully decrypt some or
all of the traffic.
So even if we assume they are intended to be used for good, these
existence of these MitM certs diminish the effective security of SSL/TLS
for everyone.
That all above is what CAs are about. And the standard answer to that
is "audit". Which they did.
(I'm not saying the answer is satisfactory, but the context and response
remains the same as far as I can see.)
As I see it, this could turn into an epic legal meltdown if, say, the
widows of disappeared Libyan/Syrian/Iranian dissidents were to file suit
against the companies making interception equipment (or even browser
vendors like Mozilla). These vendors CAs could be in a bad spot if they
made public statements that turned out to be contradictory to their
actual practice.
Yeah, this is where statements start turning out to be false or at least
untenable in company with "trust". Or as I put it, the jaws of trust
just snapped shut:
http://financialcryptography.com/mt/archives/001359.html
iang
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
