Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)
Posted Feb 9, 2012 22:09 UTC (Thu) by raven667 (subscriber, #5198)In reply to: Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld) by rriggs
Parent article: Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)
Its true that the traditional way of setting up a DLP/firewall/SSL proxy is to use an internal CA that is trusted by the clients, I can only imagine that the customer didn't want the administrative overhead of touching every machine to load certs or had some clients they couldn't touch that they still needed policy enforcement on. Signing a subroot which will be trusted by the majority of clients is a technically easy way around this but clearly even Trustwave agrees that this is a bad idea which is why they have very publicly stopped doing it.
Posted Feb 10, 2012 9:02 UTC (Fri)
by farnz (subscriber, #17727)
[Link]
The thing that makes this obnoxious is that you can get policy enforcement with an internal-only CA - it's just that you have to get clients to accept that the CA chain is broken if you cannot install the internal CA certificate on them.
Breaking the supposed identity guarantees of SSL for the benefit of one company's monitoring system is a bad move - what would have happened if (for example) that company had turned out to be a hotel chain, using it to snoop on visitors' use of private e-mail and the like?
Trustwave admits issuing man-in-the-middle digital certificate (ComputerWorld)