Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks

from the wow dept

We've pointed out for years that the whole structure of SSL certificate-based security is open to attack via man-in-the-middle attacks... if you can somehow get a certificate authority to grant you a fake certificate. Of course, the protection against that was supposed to be that a certificate authority wouldn't do that. But what if one did? Certificate authority Trustwave has admitted that it issued a certificate to a company that allowed it to issue "valid" certs for any server. Basically, it gave a company the ability to do any kind of man-in-the-middle attack it wanted on employees. Trustwave has admitted to all this after revoking the certificate. They insist that the structure was limited so that it could only be used internally on the network. But, while it was out there, it basically allowed this company to effectively spy on employee activities, allowing the company to do man-in-the-middle attacks, as employees logged into private ("encrypted") accounts from their own devices, and see what they were doing. Considering this certificate was issued for "loss prevention," it's not hard to guess how it was used.

Either way, it's pretty scary that Trustwave would think it was a reasonable move to allow this kind of activity, no matter how carefully the company believes it was set up. In a world where people have perfectly valid reasons for using private personal internet services from the workplace, they should be able to trust that those connections are secure. Thanks to Trustwave's deal with this (unnamed) company, that was not the case. On top of that, there's no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security.

In the end, this is a significant reminder that certificate-based security systems have serious weaknesses, and that the certificate authorities might not always be trustworthy...

Filed Under: certificate authorities, man in the middle, privacy, secure certificates, security, ssl
Companies: trustwave


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    LiamO (profile), 8 Feb 2012 @ 8:53pm

    I can see why companies would want to be able to man-in-the-middle outbound connections from their own corporate network. SSL/TLS can be used to tunnel... well anything really. A malware C&C channel, a way to exfiltrate corporate data etc.

    However, the correct way to implement this is the exact opposite of what Trustwave has done. An SSL proxy like Bluecoat achieves the above goal of MITM'ing corporate SSL sessions by
    1)Installing a new Trusted Root Cert on all corporate PCs
    2)Using the key for that Cert to sign a faked certificate for all outbound SSL traffic
    This way, traffic is still secure between the client and the SSL proxy (using the new certificate), and between the SSL proxy and the end website (using a normal certificate)

    As long as the private key within the SSL proxy remains secure, the system is secure (or securish... an admin from your company with access to the proxy could still sniff your SSL traffic - a good reason not to do your net banking at work)

    The important difference between an SSL proxy and the ridiculous decision by Trustwave is the failure modes of the system.

    Worst case scenarios:

    If a hacker gains access to the private key within Company A's SSL proxy, they can MITM computers that belong to Company A. Fair enough, as it was Company A's security failure that led to the key exposure in the first place.

    If a hacker gains access to the private key corresponding to the CA certificate that Trustwave issued, until somebody notices and discloses the key compromise and the certificate gets revoked, the hacker can MITM anyone, anywhere, anytime.

    See why it's not as good a solution?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.