Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks

from the wow dept

We've pointed out for years that the whole structure of SSL certificate-based security is open to attack via man-in-the-middle attacks... if you can somehow get a certificate authority to grant you a fake certificate. Of course, the protection against that was supposed to be that a certificate authority wouldn't do that. But what if one did? Certificate authority Trustwave has admitted that it issued a certificate to a company that allowed it to issue "valid" certs for any server. Basically, it gave a company the ability to do any kind of man-in-the-middle attack it wanted on employees. Trustwave has admitted to all this after revoking the certificate. They insist that the structure was limited so that it could only be used internally on the network. But, while it was out there, it basically allowed this company to effectively spy on employee activities, allowing the company to do man-in-the-middle attacks, as employees logged into private ("encrypted") accounts from their own devices, and see what they were doing. Considering this certificate was issued for "loss prevention," it's not hard to guess how it was used.

Either way, it's pretty scary that Trustwave would think it was a reasonable move to allow this kind of activity, no matter how carefully the company believes it was set up. In a world where people have perfectly valid reasons for using private personal internet services from the workplace, they should be able to trust that those connections are secure. Thanks to Trustwave's deal with this (unnamed) company, that was not the case. On top of that, there's no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security.

In the end, this is a significant reminder that certificate-based security systems have serious weaknesses, and that the certificate authorities might not always be trustworthy...

Filed Under: certificate authorities, man in the middle, privacy, secure certificates, security, ssl
Companies: trustwave


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Josh in CharlotteNC (profile), 9 Feb 2012 @ 8:10am

    Re: Re: Re:

    Does a normal Windows computer trusts those certificates by default? This is a bit scary if it is.

    I wish I could give you a simple answer, but there isn't one. Some root certificate authorities are trusted by default, yes, and they are generally the big names like Verisign, Thawte, Equifax, GoDaddy and such. But just because you trust a root CA doesn't mean you trust all certs they have issued. There are also intermediate certificates. And then also resellers and affiliates who also issue certs.

    Confused yet? It's about to get worse.


    Can you elaborate on that?

    This is what happened to DigiNotar.

    http://www.techdirt.com/articles/20110830/13243615741/evidence-suggests-diginotar-who- issued-fraudulent-google-certificate-was-hacked-years-ago.shtml

    They're a small Dutch company that issued certs. They got hacked by suspected Iranian (state sponsored) hackers as a way to monitor secure communications over Google services.

    Once the full extent of the breach became known, a lot of their certs were blacklisted, including an intermediate certificate used by the Dutch government for their Tax and Customs Administration. It then became difficult to impossible for Dutch citizens to login to the site and pay their taxes.

    That's just a small CA - ramifications were felt by Dutch citizens and whoever in Iran had their Gmail intercepted. What happens if Verisign's CA business (owned by Symantec now) has a massive breach? What if it appears that they were knowingly issuing false certs to a government for the purpose of monitoring their citizens? They control >40% market share. They get blacklisted and that's millions of people unable to login to the bank accounts and investments. Thousands of businesses like Amazon who can't process payments.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.