Mozilla executives are considering sending letters to certificate authorities (CAs) warning them that issuing subordinate root certificates would violate its root CA program policies.
The draft letter was posted on the Mozilla.dev.security.policy group a few days after Trustwave voluntarily revoked the certificate it had issued to a customer and said it would not issue similar certificates in the future. Issuing that certificate had been a one-time deal, according to Nicholas Percoco, head of Trustwave’s SpiderLabs.
“Subordinate CAs chaining to CAs in Mozillas root program cannot be used for MITM or traffic management of domain names or IPs that the party does not legitimately own or control, regardless of whether it is in a closed and controlled environment or not,” Kathleen Wilson, owner of Mozilla’s CA Certificates Module, wrote in the Feb. 12 draft.
Trustwave had issued a subordinate root that was used by an unnamed corporate customer to view and monitor employee Internet activity, even if the sessions were encrypted. The so-called man-in-the-middle-attack certificate was securely stored within a data-leak-prevention product. Trustwave decided to abandon the practice because of “events of the last year,” Percoco said.
The letter being drafted will be sent to all the CAs currently included in Mozilla’s trusted root list and warns that issuing subordinate certificates that can be used to eavesdrop on traffic would not be tolerated. Mozilla’s draft letter made it clear that it would not tolerate eavesdropping, whether the customer planned to eavesdrop only on its own network or outside its environment.
“Please review all of your subordinate CAs to make sure that they cannot be used in this way,” Wilson wrote. The review should include the extended-validation Secure Sockets Layer (SSL) certificates to make sure they aren’t also being used in this manner, according to the letter.
Existing subordinate CAs that can be used for this kind of eavesdropping purpose “must be revoked and any corresponding HSMs [hardware-security modules] destroyed as soon as possible,” Wilson said. While it is not clear when the letter will be sent out, the companies will have approximately two to three months after receiving the letter to take action, according to Wilson.
Several security and privacy experts have called on Mozilla to remove Trustwave from its trusted root list for violating trust.
“Regardless of the fact that Trustwave has since realized that this is not a good business practice to be engaged in, the damage is done,” Christopher Soghoian, a Washington, D.C.-based security and privacy researcher, wrote on a discussion thread on Mozilla’s Bugzilla bug-tracking system.
Mozilla declined to take that step, noting that Trustwave had voluntarily revoked and disclosed the issue. “We encourage any other CAs with similar certificates to follow Trustwave’s example of disclosure and revocation,” said Johnathan Nightingale, Mozilla’s director of Firefox engineering.
If a certificate authority is found to still be using man-in-the-middle certificates after the date in the letter, Mozilla will take necessary action, including removing the root certificate from its trusted list.
“Based on Mozilla’s assessment, we may also remove any of your other root certificates, and root certificates from other organizations that cross-sign your certificates,” according to the letter.
Security experts and privacy advocates questioned why Trustwave had issued the certificate in the first place, and criticized the practice. While Trustwave claimed other CAs allegedly issue similar certificates and that it was a “common practice” within the industry, no one is admitting to taking part in light of recent controversy. Comodo’s CEO Melih Abdulhayoglu claimed his company had turned down a “sizeable offer” to issue these types of certificates.