On 4/3/18, 11:59 AM, "IBM Mainframe Discussion List on behalf of Phil Smith" <IBM-MAIN@LISTSERV.UA.EDU on behalf of p...@voltage.com> wrote: > They suggest that you're referring to intranet proxies, which can certainly > terminate TLS, but that's not at all the same thing.
No, I'm referring to devices installed in a CO (with or without the acquiescence of the telco in question, usually with) where they can benefit from high-volume data capture. Their purpose is to intercept traffic flows at a carrier-grade scale, and are not generally available to the public at large. Cf the AT&T SFO traffic diversion operation for one semi-public example. If they'd like to read more, https://en.wikipedia.org/wiki/Palantir_Technologies has a pretty good (if sanitized) look at what they do and how. Note especially the client list, and the case study on Ghostnet. We're talking about state-level actors here. If they want your traffic, they can get access to it legally if they want to, and a NSL (or equivalent) is an effective way to mute that it happened. In many places on the globe, the operation of the SS7 STPs connecting the national network to the international infrastructure falls under the same rules (the old ITU and CCITT rules still operate), which are very deferential to law enforcement with the proper paperwork. That's part of the ongoing fuss in the UK and Australia wanting to force-engineer a CALEA-compatible master key into any cryptographic implementation in use within their borders; they don't like being shut out of the ability to read traffic in transit. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
