Unintended Man in the Middle

Monday, February 20, 2012 @ 07:02 PM gHale

Certificate authority Trustwave issued a certificate to a company allowing it to issue valid certificates for any server.

This enabled the company to listen in on encrypted traffic sent and received by its staff using services such as Google and Hotmail. Trustwave has since revoked the CA certificate and promised to refrain from issuing such certificates in future.

Advantech’s New Version of WebAccess
Cyber Report: Bad Guys Winning
Security Best Practices will Cut Downtime
Government Tries to Define Cyber Security

The CA certificate was for a data loss prevention (DLP) system, intended to prevent confidential information such as company secrets from escaping, Trustwave said. The DLP system monitored encrypted connections by acting as a man-in-the-middle, meaning it tapped into the connection and fooled the browser or email client into thinking it was communicating with the intended server. To prevent certificate errors, the DLP system needed to be able to produce a valid certificate for each connection – the Trustwave CA certificate enabled it to issue such certificates itself. The same principle works in espionage attacks and government monitoring activities.

The usual procedure for legitimate data loss prevention is for administrators to set up an internal certificate authority which, in consultation with staff and management representatives, then goes on work devices. Such a system is not, however, able to offer protection when staff are using personal devices that do not belong to the company.

Trustwave said the company that got the certificate signed a usage agreement and both the secret CA key and the fake certificates generated were securely stored in a specially tested hardware security module (HSM).

This meant it was impossible to misuse the certificate for improper purposes, Trustwave said. The company has nonetheless decided it will not do that anymore.

Leave a Reply

You must be logged in to post a comment.