Trustwave to escape 'death penalty' for SSL skeleton key

Trustwave fights backs

In a statement, Trustwave said it supplied the skeleton-key digital credential authority to a private customer - not an ISP, government or law enforcement agency - adding that the technology could not have been used outside the private network to which it was supplied. A Trustwave representative, Brian Trzupek, expanded on this explanation a little during the debate on the Mozilla list.

Trzupek said the "single subordinate root system" technology was supplied as a one-off "issued to a enterprise customer for use on their internal network - with network usage policies presented to users". He said that the decision to stop offering the technology, which he stressed was supplied with stringent safeguards, was made in light of concerns raised by the Comodo and DigiNotar hacks last year. He wrote:

We did not create a system where the customer could generate ad-hoc SSL certificates AND extract the private keys to be used outside this device. Nor could the subordinate root key ever get exported from the device. The system was used only for routing internal corporate traffic and not in any other way. In addition, our on-site audit focused on physical security and controls around the appliances to ensure that the boxes could not be physically taken from the facility to be placed on other networks to route traffic there.

The system is not being revoked because of any type of compromise or issue with the the trust of the system. The system is being revoked in light of the major SSL events that occurred last year, as we have decided to no longer enable this system or any systems of this type in the future.

Interception

Last year hackers broke into the systems of Comodo and DigiNotar, granting rights to issue themselves with fake digital credentials. The fraudulent DigiNotar certificates were later used in a man-in-the-middle attack on ordinary internet users in Iran. Users in the Islamic Republic who thought they were talking directly to Gmail, Skype and other services were actually going through an intermediary who would have been able to sniff their traffic, logs at DigiNotar revealed.

Audits of DigiNotar revealed systemic security failures that prompted browser developers to revoke its trusted status, the same sanction some would like to see applied against Trustwave.

The lingering sensitivities over the DigiNotar and Comodo hacks partially explains why such severe punishments against Trustwave are even on the table.

What Trustwave has done "is a highly unusual activity, and is essentially the Holy Grail hackers are looking for", explained Mark Bower, data protection expert and VP at Voltage Security. "This is why hackers last year penetrated PKIs [public-key infrastructures] – to issue themselves bogus certificates for interception cases, for example to snoop on Gmail, which appeared to be the goal of hackers operating for the Iranian government as was reported last year."

He added: "Trustwave is also a security auditor. It’s questionable why an audit firm would be issuing digital certificates which could be potentially used by hackers if they fell into the wrong hands."

"If an organization has the ability to intercept SSL in this ‘man-in-the-middle’ situation as reported, this makes SSL useless. Who is this entity? Why did they have this capability?" Bower asked.

SSL bashers' ball

The debate over Trustwave comes hot on the heels of news that VeriSign suffered unspecified security breaches last year. VeriSign, the 800lb gorilla of the digital certificate business, hasn't said what type of attacks it suffered from, which could be anything from isolated malware infection or denial of service attacks to a more serious compromise. This lack of detail is less than helpful.

Trustwave has come clean about issuing MitM authority but it seems unlikely that it was alone in applying this approach, another source of concern.

"Unfortunately this is meat and drink for the ‘SSL bashers’ in the industry," said Calum MacLeod, EMEA director of the enterprise key and certificate management firm Venafi.

"Trustwave should be commended for making this statement public, knowing that this could result in reputation damage. I believe it is commendable that they will no longer continue this practice, but the reality is, in my opinion, that this is a common industry practice," said MacLeod.

"Most large enterprises use this approach to be able to monitor outgoing and incoming traffic, and it is common to find an assortment of technologies between a user and a web service such as DLP [data loss prevention], performance monitoring, and customer experience monitoring technologies, which are there ostensibly to help provide users and customers’ with more efficient services."

MacLeod compared the practice to the frequent recording and monitoring of calls to bank or airline call centres, a practice frequently explained in greeting messages. He called for a sense of proportion in the debate.

Preliminary verdict

The Mozilla discussion, which has ran to 66 erudite and technically detailed posts, appears to be moving towards a conclusion - if not a consensus. Mozilla representative Kathleen Wilson suggested that Trustwave will escape sanction and that other certificate authorities will be given a period of grace to come clean if they are offering MitM technology. Those that fail to come forward and continue to extend the practice will be punished, Wilson warned.

"I have posted a draft CA Communication in the mozilla.dev.security.policy forum for review/discussion," Wilson wrote. "My intent is to make it clear that this type of behaviour will not be tolerated for subCAs chaining to roots in NSS, give all CAs fair warning and a grace period, and state the consequences if such behaviour is found after that grace period. There is also an action item for CAs to update their CP/CPS to make it clear that they will not issue subCAs for this purpose."

The suggested policy, if adopted, will draw a line under the Trustwave MitM certificate affair but is unlikely to restore complete faith in the digital certificate system that underpins trust in secure communications on the net. The present trust model, vital to e-commerce is well as privacy, was devised in the 1990s, and increasingly looks outmoded and outdated.

Alternative trust models - such as Convergence - remain largely experimental so we'll have to stick with multiple CAs and digital certificate to secure SSL for the immediate future, at least.

To paraphrase Supertramp it's not much of a trust system but it's the only one we've got. ®