[87513] in cryptography@c2.net mail archive
SSL MITM attack vs wiretap laws question
daemon@ATHENA.MIT.EDU (Alex Alten)
Sat May 5 15:01:32 2007
Date: Fri, 04 May 2007 22:58:46 -0700
To: cryptography@metzdowd.com
From: Alex Alten <alex@alten.org>
I have a question about the legality of doing a successful MITM attack
against SSL
(server-side authentication only). This is mainly a USA only
question. Although
Europe and Japan is of interest too. This is not a CALEA or ETSI type of
situation.
If the SSL connection is traversing an enterprise or a common carrier is it
legal for
that party to perform a MITM against it in order to examine the encrypted
information?
My reading of the US Federal wiretap laws seems to indicate that this is ok
if one of the
following conditions exists:
1. The enterprise/carrier posts a notice that all SSL connections are
subject to inspection.
2. The enterprise/carrier notifies one or both parties of the SSL
connection that inspection
is taking place.
3. The enterprise/carrier examines the SSL to prevent
DoS/DDoS/Worm/Phishing attacks
or to do QoS (load balancing, bandwidth shaping, etc).
I don't think wire fraud laws are involved, even though a properly signed
yet fake X.509
PKI certificate is sent to the browser by the MITM enterprise/carrier
pretending to be
the destination site in order to extract the encryption keys used to
encrypt the
SSL connection.
Any lawyers out there who would know how to interpret US federal law regarding
this area? (European/Japan, or other rule-of-law type countries are of
interest too.)
Thanks,
- Alex
--
Alex Alten
alex@alten.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
