

Clarifying The Trustwave CA Policy Update - mukyu
http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html

======
owens
I cannot understand why there's so much discussion about SSL/TLS cert
compromises, loads of speculation about Verizon's security issues and their CA
operation, yet virtually no concern over this.

Trustwave may have taken steps to limit the risk of their action, but the fact
remains that they gave a private company the ability to launch a perfect MITM
attack - and they state that it is "common practice" amongst "many of our
peers in the industry".

As mukyu notes, a corporation can easily do this today with an in-house CA,
but that's visible to their users - Trustwave enabled them to have an
invisible MITM, detectable only if someone collected certs inside the proxy
and compared them with those outside, or used some form of certificate
pinning. That's perfectly aligned with the goal of "Data Loss Prevention" -
the customer wanted to catch employees stealing corporate data, and didn't
want them to know that they were being spied on.

I'd argue that this behavior is much worse than simple sloppiness, because the
CA is making a conscious business decision that puts the integrity of the PKI
system at risk. And if what Trustwave says is true, with "many" other CAs
offering the same product, it's unlikely that we can fix this by simply
pulling certs out of the browser caches.

------
mukyu
For context:
[http://comments.gmane.org/gmane.comp.security.ssl.observator...](http://comments.gmane.org/gmane.comp.security.ssl.observatory/152)

Basically, a CA gave someone a cert that allows them to make and sign their
own certs (for any domain) for the express purpose of allowing them to snoop
on all ssl traffic on their network. They even imply that other CAs have and
will do the same (even though they apparently changed their minds about
allowing it). We need not worry about CAs being incompetent (see comodo and
other issues) when they will intentionally engage in undermining the entire
PKI system.

Note that a corporate entity that really wanted to do this could just as
easily make their own root cert and install it on all of the devices they
control and accomplish the same goal without endangering the entire system.

