Re: Can we trust RedHAt encryption tools?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 01/10/2014 09:22 AM, Liam O'Toole wrote:
> On 2014-01-09, Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote:
>
> (...)
>
>> You want to talk about leaky code?  Look how corporate mail proxies work
>> to enable them to read encrypted emails.  Simple lying about certs.
> That sounds worrying. Could you elaborate, or provide a citation?
>
This is quite common.  We were discussing this at IETF in Nov. Right now 
I forget the law which allows employers complete access to employee 
emails, but as such when the client asks for the recipients cert, the 
server retrieves it, creates a fake one that is presented to the 
client.  The client encrypts the email, and sends it to the server.  The 
server decrypts, stores the content per corporate policy, then encrypts 
with the appropriate cert.  Well actually it is a bit more than that, as 
only the symmetric key is encrypted with the cert's key.  This is old 
stuff for me; I did secure mail a decade ago, and this work around was 
well known then.

Also works well for web clients through the corporate http proxy. 
Actually it is easier for web transactions than email.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux