[Cryptography] "Trust in digital certificate ecosystem eroding"

John Levine johnl at iecc.com
Tue May 5 10:03:10 EDT 2015


>Literally all encrypted traffic was decrypted "for log
>maintenance purposes" at the firewall, re-encrypted and
>sent onward to the machines on the company network.  All
>requests for a certificate were intercepted at the firewall
>and got a certificate auto-issued by the firewall's own CA,
>which it would then use to re-encrypt that traffic.
>
>All this of course was done in the name of "security..."

If I were running an investment bank or other enterprise where
individual employees handled large amounts of the company's money, I
would think it would be an extremely serious security proglem if
employees could send and receive communications with outsiders that
the auditors couldn't read.  Insert appropriate security homily here.

R's,
John


More information about the cryptography mailing list