Compartir a través de

Microsoft intend to acquire Whale Communications - they're a "leading provider of SSL VPN" technologies

  • Artículo

Our PressPass announcement provides more information about the stated intent to acquire Whale Communications.

Whale Communications are well known as a provider of SSL VPN and Application Security Technologies.

What's your view about the role of SSL VPN (from any vendor) in today's security oriented infrastructure?  Some of you know my view but I'm very interested to hear yours hence I'm not going to bias this by re-stating it.

Comments

  • Anonymous
    May 18, 2006
    Interesting timing, on the day the government announces they want to enforce part 3 of the RIP Act, which means everyone must turn over encryption keys to a governmental escrow service. Now considering how VPNs automatically generate, then disgard keys, I guess you all should start looking at how to submit them automatically to some part of GCHQ :)

  • Anonymous
    May 18, 2006
    The comment has been removed
  • Anonymous
    May 19, 2006
    Barry> I'm not a legal expert so please correct me if you know to the contrary but we don't need to escrow the keys for VPN as the data itself does not remain in encrypted form - it's only encrypted during transportation. If the target system (or source system) encrypt the data using something like EFS / PGP then RIPA comes into play.

    My understanding of RIPA is that an organisation / individual must provide the means to recover cipher text UPON REQUEST DURING AN INVESTIGATION - there's no requirement to Escrow the keys. Has this changed recently under part 3 of the act?

    As far as I can see it's not possible to comply with RIPA whilst your users have unmanaged machines (i.e. they have admin rights and/or non-domain joined machines) as you can't be sure that they haven't encrypted data using keys that you can't recover - this could be the case by using 3rd party encryption tools or EFS without Domain membership.

    What do you think?
  • Anonymous
    May 19, 2006
    My understanding is the same; the s3 enforcement is basically the crypto equivalent of being forced to open a secure vault on production of a warrant.

    It also doesn't seem to state any requirement to provide "enabling" technology; merely an obligation on a keyholder to present the key if served with a notice; from s49:

    "(2) If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds-

         (a) that a key to the protected information is in the possession of any person,

    ...

    the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information."