Mozilla Asked to Revoke Trustwave CA for Allowing SSL Eavesdropping - Security - News & Reviews - eWeek.com | eWeek

Mozilla Asked to Revoke Trustwave CA for Allowing SSL Eavesdropping

Verfasst von
Fahmida Y. Rashid
Fahmida Y. Rashid
Feb 9, 2012
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

After a certificate authority (CA) admitted to issuing a digital certificate that was used to monitor employees’ encrypted communications, Mozilla is being asked to revoke that CA as a trusted root.

In the past, Trustwave issued a subordinate root certificate to a private company that allowed the owner to “transparently manage” employees’ encrypted Web traffic. Trustwave has decided to revoke the certificate for the unnamed company and has pledged to stop issuing these types of certificates to enterprises, Nicholas Percoco, senior vice-president of Trustwave and head of Trustwave Spider Labs, wrote Feb. 4 on the company’s Anterior blog. Even though Trustwave was confident the certificates issued in this context could not be stolen or abused, “events of the last year” led to the decision to stop this practice, said Percoco.

The certificate was issue to a private company, “and not to a ‘government,’ ‘ISP’ or to ‘law enforcement,'” said Percoco.

The subordinate root certificate issued by Trustwave allows the owner to sign digital certificates for virtually any domain on the Internet and have it accepted by Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and other major Web browsers. It was intended to be used within a private network as part of a data-loss-prevention system, said Percoco. Employees surfing the Web would be passing through the DLP system before reaching the Website. Since the system’s certificate was signing the keys, encrypted traffic from Websites secured with the Secure Sockets Layer (SSL) protocol could still be monitored by the company.

“We did not take the decision to enable this system lightly,” and Trustwave took extra steps to ensure it couldn’t be abused, Brian Trzupek, Trustwave’s vice president for managed identity and authentication, wrote in a thread on Bugzilla, Mozilla’s online bug-tracking system. The conversation was in response to a bug filed by a user asking that Trustwave be removed from Mozilla’s list of trusted root certificates.

“We did not create a system where the customer could generate ad-hoc SSL certificates and extract the private keys to be used outside this device,” said Trzupek.

The certificate was stored inside the system’s Hardware Security Module, a device developed specifically to manage digital keys. “Once the trusted subordinate root was placed into the device, it could not be extracted,” said Percoco. The unnamed customer also conducted extensive audits of its physical security to make sure there was no way the system could be moved off-premises and used to snoop on a different network.

Trustwave did not revoke the certificate because there was a problem or compromise within the customer’s system, but because of “major SSL events that occurred last year,” said Trzupek.

Over the summer, unknown attackers breached Dutch certificate authority DigiNotar and issued fraudulent credentials for Google Mail, Mozilla’s add-on service and other sensitive sites. Comodo also was breached, but it managed to revoke the fake SSL certificates before they could be used. GlobalSign conducted an exhaustive audit after reports that it had been breached by attackers, but claimed it was secure.

Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic, Christopher Soghoian, a privacy activist, said in response to Tuzupek’s post. The fact that Trustwave has abandoned the practice is not enough, since the “damage is done,” he said.

“With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate),” said Soghoian.

Mozilla is still “evaluating” the incident and has “not yet decided on a course of action,” Jonathan Nightingale, Mozilla’s director of Firefox engineering wrote in an email. However, Nightingale praised Trustwave for revoking the subordinate certificate and encouraged other CAs with similar certificates to follow Trustwave’s example.

Although Trustwave claimed this was a “common practice” within the industry, it is not clear how widespread the practice is among other certificate authorities, and very few CAs are talking. “This is a highly unusual activity,” said Mark Bower, vice president of Voltage Security.

A “Hardware Provider” approached Comodo with a “sizeable offer” to issue a subordinate root certificate that could be used for “intercepting” purposes, but the company declined because “it didn’t fit our philosophy of end-user protection,” Melih Abdulhayoglu, president and CEO of Comodo, wrote in an email.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.