Even though Trustwave has revoked the SSL certificate that allowed a company to eavesdrop on SSL traffic, the Mozilla community wants the CA removed as a trusted authority.
After a
certificate authority (CA) admitted to issuing a digital certificate that was
used to monitor employees' encrypted communications, Mozilla is being asked to
revoke that CA as a trusted root.
In the past,
Trustwave issued a subordinate root certificate to a private company that allowed
the owner to "transparently manage" employees' encrypted Web traffic.
Trustwave has decided to
revoke the
certificate for the unnamed company and has pledged to stop issuing these
types of certificates to enterprises, Nicholas Percoco, senior vice-president of Trustwave and head of Trustwave Spider Labs, wrote
Feb. 4 on the company's
Anterior
blog. Even though Trustwave was confident the certificates issued in this
context could not be stolen or abused, "events of the last year" led
to the decision to stop this practice, said Percoco.
The
certificate was issue to a private company, "and not to a 'government,' 'ISP'
or to 'law enforcement,'" said Percoco.
The
subordinate root certificate issued by Trustwave allows the owner to sign
digital certificates for virtually any domain on the Internet and have it
accepted by Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and
other major Web browsers. It was intended to be used within a private network
as part of a data-loss-prevention system, said Percoco. Employees surfing the
Web would be passing through the DLP system before reaching the Website. Since
the system's certificate was signing the keys, encrypted traffic from Websites
secured with the Secure Sockets Layer (SSL) protocol could still be monitored
by the company.
"We did
not take the decision to enable this system lightly," and Trustwave took
extra steps to ensure it couldn't be abused, Brian Trzupek, Trustwave's vice
president for managed identity and authentication, wrote in
a thread on Bugzilla,
Mozilla's online bug-tracking system. The conversation was in response to a bug
filed by a user asking that Trustwave be removed from Mozilla's list of trusted
root certificates.
"We did
not create a system where the customer could generate ad-hoc SSL certificates
and extract the private keys to be used outside this device," said
Trzupek.
The
certificate was stored inside the system's Hardware Security Module, a device
developed specifically to manage digital keys. "Once the trusted
subordinate root was placed into the device, it could not be extracted,"
said Percoco. The unnamed customer also conducted extensive audits of its
physical security to make sure there was no way the system could be moved
off-premises and used to snoop on a different network.
Trustwave did
not revoke the certificate because there was a problem or compromise within the
customer's system, but because of "major SSL events that occurred last
year," said Trzupek.
Over the
summer, unknown attackers breached Dutch certificate authority DigiNotar and
issued fraudulent credentials for Google Mail, Mozilla's add-on service and
other sensitive sites. Comodo also was breached, but it managed to revoke the
fake SSL certificates before they could be used. GlobalSign conducted an
exhaustive audit after reports that it had been breached by attackers, but
claimed it was secure.
Trustwave sold
a certificate knowing that it would be used to perform active man-in-the-middle
interception of HTTPS traffic, Christopher Soghoian, a privacy activist, said
in response to Tuzupek's post. The fact that Trustwave has abandoned the
practice is not enough, since the "damage is done," he said.
"With
root certificate power comes great responsibility. Trustwave has abused this
power and trust, and so the appropriate punishment here is death (of its root
certificate)," said Soghoian.
Mozilla is
still "evaluating" the incident and has "not yet decided on a
course of action," Jonathan Nightingale, Mozilla's director of Firefox
engineering wrote in an email. However, Nightingale praised Trustwave for
revoking the subordinate certificate and encouraged other CAs with similar
certificates to follow Trustwave's example.
Although
Trustwave claimed this was a "common practice" within the industry,
it is not clear how widespread the practice is among other certificate
authorities, and very few CAs are talking. "This is a highly unusual activity,"
said Mark Bower, vice president of Voltage Security.
A
"Hardware Provider" approached Comodo with a "sizeable
offer" to issue a subordinate root certificate that could be used for
"intercepting" purposes, but the company declined because "it didn't
fit our philosophy of end-user protection," Melih Abdulhayoglu, president
and CEO of Comodo, wrote in an email.
Email
Print
