Full Disclosure mailing list archives

Re: [funsec] Trustwave and Mozilla (Resolved)

From: David C Frier <david.frier+isc2 () gmail com>
Date: Thu, 23 Feb 2012 07:11:53 -0500

On Wed, Feb 22, 2012 at 19:12, Jeffrey Walton <noloader () gmail com> wrote:

It appears to be official.

Trustwave issued MitM certificates, which is deceptive, unethical, and
contrary to its agreement for inclusion.

Mozilla just rewarded their violations of trust by continuing their
inclusion. Apparently, agreements between Mozilla and CAs have no
veracity as both are more than happy to violate the end user.


This is not the simplistic issue with clear moral blacks and whites
that you seem to think it is.

Companies need MitM certs to fully implement DLP and protect
proprietary data - HR info, trade secrets, unpublished financials.
Without them, SSL-protected external sites are potentially
back-channels for the leakage of anything someone decides to leak.
Workers don't understand what the lines are between work-related and
personal network usage.  Companies would be suicidal to just give up
on this.

So, what would you propose as an alternative?


-- 
--David Frier

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) decoder (Feb 22)
  - Re: Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) Al Billings (Feb 23)
  - Re: Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) Wesley Kerfoot (Feb 23)
  - Re: Trustwave and Mozilla (Resolved) Ramo (Feb 24)
- Re: [funsec] Trustwave and Mozilla (Resolved) David C Frier (Feb 24)
  - Re: [funsec] Trustwave and Mozilla (Resolved) Marcus Meissner (Feb 24)