Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishment
The issuing of subordinate root certificates to companies, so they can snoop on SSL-encrypted traffic, is a common industry practice
IDG News Service - Digital Certificate Authority (CA) Trustwave revealed that it has issued a digital certificate that enabled an unnamed private company to spy on SSL-protected connections within its corporate network, an action that prompted the Mozilla community to debate whether the CA's root certificate should be removed from Firefox.
The certificate issued by Trustwave is known as a subordinate root and enabled its owner to sign digital certificates for virtually any domain on the Internet. The certificate was to be used within a private network within a data loss prevention system, Trustwave said in a blog post on Saturday.
The CA took steps to ensure that the subordinate root could not be stolen or abused. The certificate was stored in a Hardware Security Module, a device built specifically for the management of digital keys, which ensured that its extraction was impossible, Trustwave said.
The company also performed on-site physical security audits to make sure that the system can't be removed from the premises and used to intercept SSL-encrypted (Secure Sockets Layer-encrypted) traffic on another network.
"We did not create a system where the customer could generate ad-hoc SSL certificates AND extract the private keys to be used outside this device," said Brian Trzupek, Trustwave's vice president for managed identity and authentication, in a discussion on Mozilla's bug tracker on Tuesday. "Nor could the subordinate root key ever get exported from the device."
Mozilla's community is currently debating whether the issuing of such certificates represents a breach of the software vendor's CA Certificate Policy, regardless of what security measures were put in place. CAs adhere to this Policy in order to have their root certificates trusted by Mozilla's products.
"We reserve the right to not include a particular CA certificate in our software products. This includes (but is not limited to) cases where we believe that including a CA certificate (or setting its "trust bits" in a particular way) would cause undue risks to users' security, for example, with CAs that knowingly issue certificates without the knowledge of the entities whose information is referenced in the certificates," Mozilla's CA Certificate Policy states.
Some users are asking Mozilla to remove Trustwave's root certificate from Firefox and Thunderbird because domain name owners were not aware that Trustwave was re-signing certificates in their name through a subordinate root.
"We're still evaluating the reports from Trustwave, and have not yet decided on a course of action. In the interim, we are pleased to hear that this subordinate certificate is being revoked. We encourage any other CAs with similar certificates to follow Trustwave's example of disclosure and revocation,"said Johnathan Nightingale, senior director of Firefox Engineering at Mozilla Corp.
- Social Media Education: The New Edge for Success Failure to train for social media will cost your business money. A recent report showed how digitally prepared companies can unlock up to...
- Social Media in Technology: A Unified Strategy for Success Find out how social media is sparking a new era of customer and industry-understanding in technology enterprises and how industry leaders are overcoming...
- How Network Connections Drive Web Application Performance Users around the globe, on all sorts of devices, expect Web applications to function as seamlessly as desktop applications. This paper discusses the...
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Internet White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!