SSL MITM attack vs wiretap laws question

Alex Alten alex at alten.org
Sat May 5 01:58:46 EDT 2007


I have a question about the legality of doing a successful MITM attack 
against SSL
(server-side authentication only).  This is mainly a USA only 
question.  Although
Europe and Japan is of interest too.  This is not a CALEA or ETSI type of 
situation.

If the SSL connection is traversing an enterprise or a common carrier is it 
legal for
that party to perform a MITM against it in order to examine the encrypted 
information?

My reading of the US Federal wiretap laws seems to indicate that this is ok 
if one of the
following conditions exists:
1. The enterprise/carrier posts a notice that all SSL connections are 
subject to inspection.
2. The enterprise/carrier notifies one or both parties of the SSL 
connection that inspection
     is taking place.
3. The enterprise/carrier examines the SSL to prevent 
DoS/DDoS/Worm/Phishing attacks
     or to do QoS (load balancing, bandwidth shaping, etc).

I don't think wire fraud laws are involved, even though a properly signed 
yet fake X.509
PKI certificate is sent to the browser by the MITM enterprise/carrier 
pretending to be
the destination site in order to extract the encryption keys used to 
encrypt the
SSL connection.

Any lawyers out there who would know how to interpret US federal law regarding
this area?  (European/Japan, or other rule-of-law type countries are of 
interest too.)

Thanks,

- Alex
--

Alex Alten
alex at alten.org



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list