Certificate authority Trustwave has admitted selling a digital certificate for a customer to eavesdrop on encrypted employee traffic. Software developer Mozilla is now considering whether to revoke trust in Trustwave's root certificates.
Trustwave admitted selling the root certificate, which it has now revoked, in a blog post on Saturday.
"This single certificate was issued for an internal corporate network customer and not to a 'government', 'ISP' or to 'law enforcement'," said the blog post. "It was to be used within a private network within a data loss prevention (DLP) system." Trustwave said that the subordinate root certificate was stored in a Hardware Security Module, a piece of encryption equipment which also generated SSL keys to re-sign intercepted traffic.
"No party had access to the re-signed SSL certificate private keys at any time, nor could they gain access to them," said Trustwave. "This is what prevented the customer from being able to perform ad hoc issuance of certificate for any domain and use them outside of this hardware and infrastructure."
One problem with using digital certificates as an online trust mechanism is that if a party manages to successfully hijack or create its own certificates, it can fool browsers that it is another entity on the internet.
On Wednesday Trustwave's admission sparked a debate on Mozilla's bug-tracking system, Bugzilla, as to whether Firefox-developer Mozilla should revoke trust in Trustwave for its actions.
"The most important detail to focus on, is that Trustwave knew when it issued the certificate that it would be used to sign certificates for websites not owned by Trustwave's corporate customer," said privacy expert Christopher Soghoian. "That is, Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic." A man-in-the-middle attack is when a third party eavesdrops on a communication by hijacking and relaying messages between parties.
Soghoian called for Mozilla to revoke trust in Trustwave's root certificate, an action that could have serious consequences for Trustwave.
"With root certificate power comes great responsibility," said Soghoian." Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate)."
Trustwave insisted that it had audited its customers physical and network security, and its security policies.
"The system was used only for routing internal corporate traffic and not in any other way," Trustwave Trustwave's vice president for managed identity and authentication Brian Trzupek said in the Mozilla discussion. "In addition, our on-site audit focused on physical security and controls around the appliances to ensure that the boxes could not be physically taken from the facility to be placed on other networks to route traffic there."
Mozilla is considering whether to remove Trustwave's root certificate from its certificate authority store, an action which would mean Mozilla products would not trust Trustwave certificates. For example, people using Firefox to visit a website with a Trustwave certificate would get an error message saying the site is not trusted.
"We're still evaluating the reports from Trustwave, and have not yet decided on a course of action," Mozilla said in a statement on Thursday. "In the interim, we are pleased to hear that this subordinate certificate is being revoked. We encourage any other CAs with similar certificates to follow Trustwave's example of disclosure and revocation."
Revocation in trust of a company's root certificate or certificates can destroy the organisation. Multiple organisations revoked trust in DigiNotar after a hack attack, forcing the certificate authority into bankruptcy in September.