| |||||||||||||
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)Posted Feb 9, 2012 17:27 UTC (Thu) by josh (subscriber, #17465)Parent article: Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)
And yet again we have an example of the fundamental security model of certificate authorities: they protect you from anyone whose money they won't take.
Hopefully this leads to an immediate removal of TrustWave from browser trust roots.
(Log in to post comments)
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 9, 2012 17:37 UTC (Thu) by josh (subscriber, #17465) [Link]
To clarify: it does seem unfortunate to apply this policy to a CA which came forward, admitted the problem, and revoked the certificate in question. However, given the *huge* amount of trust placed in CAs, and that the issuance of this certificate blatantly violates any and all sensible policies for certificate authorities, I don't see how Mozilla can do otherwise.
At a minimum, after clarifying their CA policy with an appropriate amount of "no really"s, CAs need re-validation against the new policy.
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 9, 2012 17:47 UTC (Thu) by josh (subscriber, #17465) [Link]
Reading the comments in the bug, someone suggested a potentially viable solution: mark the TrustWave root as not allowing any intermediate CA roots. Given the standard practice of issuing one intermediate certificate from an offline CA root and never signing user certificates with the root, Mozilla would need to whitelist the one legitimate CA root, but that seems acceptable.
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 9, 2012 18:30 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] My company (and no doubt many others) uses a Trustwave certificate for its Exchange server and other internal sites, so not trusting Trustwave isn't really an option.A possible alternative for authorities known to operate in this manner is to have a way of trusting the cert only within a particular domain, say *.mycompany.com.
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 9, 2012 18:36 UTC (Thu) by josh (subscriber, #17465) [Link]
Certificates issued for internal sites don't cause the problem mentioned in this article, unless you have a certificate which can in turn sign other certificates. You almost certainly don't.
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 9, 2012 17:40 UTC (Thu) by jimparis (subscriber, #38647) [Link]
> Hopefully this leads to an immediate removal of TrustWave from browser trust roots.
It's not clear what that would accomplish. There are plenty of CAs out there that probably did the same thing, and it seems out of place to punish TrustWave for both proactively revoking these subordinate certificates, and for publicly admitting their existence. More useful might be to say "Every other CA must similarly revoke such certificates by Feb 15; we'll start looking, and if we find any violations after that point, your CA will be immediately removed from the browser trust root forever". But as you say, the fundamental model of CAs is flawed.
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 10, 2012 2:23 UTC (Fri) by slashdot (guest, #22014) [Link]
How about looking for those other CAs and removing them too?
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 10, 2012 2:25 UTC (Fri) by slashdot (guest, #22014) [Link]
For instance, by offering a high reward ($10-1000k) to anyone providing the private key of a certificate that can sign trusted certificates for any domain.
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) Posted Feb 10, 2012 13:56 UTC (Fri) by Aissen (subscriber, #59976) [Link]
There's no need for that. The public key of that certificate and an example of forged sub-certificate for, say gmail.com ought to be enough proof.
|
|||||||||||||