Trustwave Admits It Issued A Certificate To Allow Company To Run Man-In-The-Middle Attacks

from the wow dept

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

We've pointed out for years that the whole structure of SSL certificate-based security is open to attack via man-in-the-middle attacks... if you can somehow get a certificate authority to grant you a fake certificate. Of course, the protection against that was supposed to be that a certificate authority wouldn't do that. But what if one did? Certificate authority Trustwave has admitted that it issued a certificate to a company that allowed it to issue "valid" certs for any server. Basically, it gave a company the ability to do any kind of man-in-the-middle attack it wanted on employees. Trustwave has admitted to all this after revoking the certificate . They insist that the structure was limited so that it could only be used internally on the network. But, while it was out there, it basically allowed this company to effectively spy on employee activities, allowing the company to do man-in-the-middle attacks, as employees logged into private ("encrypted") accounts from their own devices, and see what they were doing. Considering this certificate was issued for "loss prevention," it's not hard to guess how it was used.Either way, it's pretty scary that Trustwave would think it was a reasonable move to allow this kind of activity, no matter how carefully the company believes it was set up. In a world where people have perfectly valid reasons for using private personal internet services from the workplace, they should be able to trust that those connections are secure. Thanks to Trustwave's deal with this (unnamed) company, that was not the case. On top of that, there's no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security.In the end, this is a significant reminder that certificate-based security systems have serious weaknesses, and that the certificate authorities might not always be trustworthy...

Filed Under: certificate authorities, man in the middle, privacy, secure certificates, security, ssl

Companies: trustwave