Trustwave admits issuing man-in-the-middle digital certificate, Mozilla debates punishment

The issuing of subordinate root certificates to companies, so they can snoop on SSL-encrypted traffic, is a common industry practice

Digital Certificate Authority (CA) Trustwave revealed that it has issued a digital certificate that enabled an unnamed private company to spy on SSL-protected connections within its corporate network, an action that prompted the Mozilla community to debate whether the CA's root certificate should be removed from Firefox.

The certificate issued by Trustwave is known as a subordinate root and enabled its owner to sign digital certificates for virtually any domain on the Internet. The certificate was to be used within a private network within a data loss prevention system, Trustwave said in a blog post on Saturday.

The CA took steps to ensure that the subordinate root could not be stolen or abused. The certificate was stored in a Hardware Security Module, a device built specifically for the management of digital keys, which ensured that its extraction was impossible, Trustwave said.

The company also performed on-site physical security audits to make sure that the system can't be removed from the premises and used to intercept SSL-encrypted (Secure Sockets Layer-encrypted) traffic on another network.

"We did not create a system where the customer could generate ad-hoc SSL certificates AND extract the private keys to be used outside this device," said Brian Trzupek, Trustwave's vice president for managed identity and authentication, in a discussion on Mozilla's bug tracker on Tuesday. "Nor could the subordinate root key ever get exported from the device."

Mozilla's community is currently debating whether the issuing of such certificates represents a breach of the software vendor's CA Certificate Policy, regardless of what security measures were put in place. CAs adhere to this Policy in order to have their root certificates trusted by Mozilla's products.

"We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users' security, for example, with CAs that knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates," the Mozilla's CA Certificate Policy states.

Some users are asking Mozilla to remove Trustwave's root certificate from Firefox and Thunderbird because domain name owners were not aware that Trustwave was re-signing certificates in their name through a subordinate root. Mozilla did not immediately return a request for comment.

Trustwave defended itself by saying that the issuing of subordinate roots to private companies, so they can inspect the SSL-encrypted traffic that passes through their networks, is a common practice in the industry. However, the CA decided to stop issuing such certificates in the future and revoke the existent ones.

"I would say that Trustwave should be commended for making this statement public, knowing that this could result in reputational damage," said Calum MacLeod, director for the EMEA region at Venafi, a company that sells certificate and digital key management products. "I believe it is commendable that they will no longer continue this practice, but the reality is in my opinion that this is a common industry practice."

Trustwave might have taken significant steps to ensure that its subordinate root will not be abused, but this is not necessarily true for all cases where companies make use of this technique.

"In the vast majority of enterprises today, there is little or no control over the security and management of private keys," MacLeod said. "In most cases, the private keys are not being protected, and system administrators are handling keys manually."

MacLeod pointed out that just because Trustwave did not issue a subordinate root certificate to a government, an ISP or a law enforcement agency, does not mean that other CAs haven't done so. "Maybe it's time websites carried the same message as the telephone service; 'this session may be recorded!'," he said.

According to Amichai Shulman, chief technology officer and co-founder of security firm Imperva, there are other techniques that companies can use to snoop on SSL-encrypted traffic within their networks, and they don't require the use of such broad certificates.

"The fact that CA services are willing to issue 'weak CA' certificates to practically anyone is outrageous," Shulman said. "Not only that the effect of a compromise of such a certificates is devastating but the chances for it happening are not negligible."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?