[CentOS] Can we trust RedHAt encryption tools?
Robert Moskowitz
rgm at htt-consult.com
Fri Jan 10 15:16:26 UTC 2014
On 01/10/2014 09:22 AM, Liam O'Toole wrote:
> On 2014-01-09, Robert Moskowitz <rgm at htt-consult.com> wrote:
>
> (...)
>
>> You want to talk about leaky code? Look how corporate mail proxies work
>> to enable them to read encrypted emails. Simple lying about certs.
> That sounds worrying. Could you elaborate, or provide a citation?
>
This is quite common. We were discussing this at IETF in Nov. Right now
I forget the law which allows employers complete access to employee
emails, but as such when the client asks for the recipients cert, the
server retrieves it, creates a fake one that is presented to the
client. The client encrypts the email, and sends it to the server. The
server decrypts, stores the content per corporate policy, then encrypts
with the appropriate cert. Well actually it is a bit more than that, as
only the symmetric key is encrypted with the cert's key. This is old
stuff for me; I did secure mail a decade ago, and this work around was
well known then.
Also works well for web clients through the corporate http proxy.
Actually it is easier for web transactions than email.
More information about the CentOS
mailing list