|
|
Subscribe / Log in / New account

Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Posted Feb 9, 2012 17:37 UTC (Thu) by josh (subscriber, #17465)
In reply to: Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) by josh
Parent article: Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

To clarify: it does seem unfortunate to apply this policy to a CA which came forward, admitted the problem, and revoked the certificate in question. However, given the *huge* amount of trust placed in CAs, and that the issuance of this certificate blatantly violates any and all sensible policies for certificate authorities, I don't see how Mozilla can do otherwise.

At a minimum, after clarifying their CA policy with an appropriate amount of "no really"s, CAs need re-validation against the new policy.

to post comments

Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Posted Feb 9, 2012 17:47 UTC (Thu) by josh (subscriber, #17465) [Link] (2 responses)

Reading the comments in the bug, someone suggested a potentially viable solution: mark the TrustWave root as not allowing any intermediate CA roots. Given the standard practice of issuing one intermediate certificate from an offline CA root and never signing user certificates with the root, Mozilla would need to whitelist the one legitimate CA root, but that seems acceptable.

Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Posted Feb 9, 2012 18:30 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] (1 responses)

My company (and no doubt many others) uses a Trustwave certificate for its Exchange server and other internal sites, so not trusting Trustwave isn't really an option.

A possible alternative for authorities known to operate in this manner is to have a way of trusting the cert only within a particular domain, say *.mycompany.com.

Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)

Posted Feb 9, 2012 18:36 UTC (Thu) by josh (subscriber, #17465) [Link]

Certificates issued for internal sites don't cause the problem mentioned in this article, unless you have a certificate which can in turn sign other certificates. You almost certainly don't.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds