Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishment

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment

By Lucian Constantin
IDG News Service
February 8, 2012

Digital Certificate Authority (CA) Trustwave revealed that it has issued 
a digital certificate that enabled an unnamed private company to spy on 
SSL-protected connections within its corporate network, an action that 
prompted the Mozilla community to debate whether the CA's root 
certificate should be removed from Firefox.

The certificate issued by Trustwave is known as a subordinate root and 
enabled its owner to sign digital certificates for virtually any domain 
on the Internet. The certificate was to be used within a private network 
within a data loss prevention system, Trustwave said in a blog post on 
Saturday.

The CA took steps to ensure that the subordinate root could not be 
stolen or abused. The certificate was stored in a Hardware Security 
Module, a device built specifically for the management of digital keys, 
which ensured that its extraction was impossible, Trustwave said.

The company also performed on-site physical security audits to make sure 
that the system can't be removed from the premises and used to intercept 
SSL-encrypted (Secure Sockets Layer-encrypted) traffic on another 
network.

[...]


_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn