Trustwave revokes "MitM" certificate, vows never to issue one again
Posted on 08 February 2012.
Certificate authority Trustwave has revoked a subordinate root certificate it issued to a company that allowed it to intercept their employees' private email communication.

"This single certificate was issued for an internal corporate network customer and not to a 'government', 'ISP' or to 'law enforcement'," explained Trustwave's security researcher Nicholas Percoco. "It was to be used within a private network within a data loss prevention (DLP) system."

The certificate allowed the company to issue unlimited SSL certificates for any server, so that the DLP solution could create a valid certificate for any connection it tapped into while trying to do its work and prevent confidential information from being sent out from company computers.

The company has also made sure to explain that it issued the subordinate certificate after auditing the customer's physical security, network security, and security policies, and that it was placed on a dedicated hardware device, where the fake certificates it generated were also consequently stored.

"When the system would accept an outbound SSL connection from within the customer network, and negotiate the session with the server outside the customers network, the private key for the resulting re-signed SSL certificate (that is presented to the internal network) would be generated in the HSM and only live for the duration of the SSL request," wrote Percoco. "No party had access to the re-signed SSL certificate private keys at any time, nor could they gain access to them. This is what prevented the customer from being able to perform ad hoc issuance of certificate for any domain and use them outside of this hardware and infrastructure."

All the same, Trustwave has stated that it will not be offering this type of certificate any more, even though they say they other CAs are also doing it.

This particular issue has long been a thorn in the side of many security experts because of the very good likelihood that such certificates can be misused by governments and law enforcement agencies to spy on users.

"It's good that we now have a public example of such an deployment, it will help to raise awareness that we urgently need improvements for today's SSL trust model," commented Red Hat security and cryptography expert Kai Engert during a public discussion. "I'm not yet convinced that TrustWave should be blamed. In my opinion, if you decide to blame TrustWave, you could equally blame any CA that has issued at least one intermediate CA certificate and gave it to a different entity.[...]If anyone is to blame, it's the company who deployed the MITM device. I hope they had informed their employees. If not, shame on them."






Spotlight

Infographic: 25 years of the firewall

Posted on 24 July 2014.  |  The firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. If you take a moment to scan the infographic, you’ll notice the firewall's introduction and evolution coincide with certain security events.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //