Mozilla officials are preparing to send a letter to the certificate authorities that are part of its root CA program, warning them about issuing so-called man-in-the-middle certificates for systems that the CA does not actually own. The message comes on the heels of an incident in which Trustwave, a CA, issued a certificate that enabled a corporate customer to eavesdrop on the SSL-protected sessions of its employees.
That incident has generated a tremendous amount of controversy and finger-pointing in the security industry. Although Trustwave officials revoked the certificate themselves and apologized for the incident, security experts and privacy advocates questioned why the certificate was issued in the first place and whether there were more such certs lurking out there. Trustwave officials said that it was a one-time deal and that the company would not be making such deals again in the future.
Though Mozilla officials have decided not to impose the ultimate penalty of removing Trustwave from its trusted root list, the company is planning to send a letter to all of the CAs in that program, letting them know that the issuance of subordinate certificates for the purpose of eavesdropping on traffic–whether on the company’s own network or elsewhere–would not be tolerated.
“Subordinate CAs chaining to CAs in Mozilla’s root program cannot be used for MITM or traffic management of domain names or IPs that the party does not legitimately own or control, regardless of whether it is in a closed and controlled environment or not. Please review all of your subordinate CAs to make sure that they cannot be used in this way. Any existing subordinate CAs that can be used for that purpose must be revoked and any corresponding HSMs destroyed as soon as possible,” Kathleen Wilson of Mozilla says in a draft letter to be sent to CAs soon.
“If it is found that a subordinate CA is being used for MITM, we will take action to mitigate, including and up to removing the corresponding root certificate. Based on Mozilla’s assessment, we may also remove any of your other root certificates, and root certificates from other organizations that cross-sign your certificates.”
Mozilla also plans to ask the CAs to scan all of their extended-validation SSL certificates that have been issued to determine whether they meet all of the requirements laid out for those certs. Trustwave, in its statement on the incident, said that the company had only issued the one certificate that was questionable and made the decision on its own to revoke it.
“This single certificate was issued for an internal corporate network customer and not to a ‘government’, ‘ISP’ or to ‘law enforcement’. It was to be used within a private network within a data loss prevention (DLP) system. The subordinate certificate was subject to a Certification Practice Statement (CPS), Subscriber Agreement and Relying Party Agreement crafted by Trustwave after an audit of the customer physical security, network security, and security policies,” Nicholas Percoco of Trustwave’s SpiderLabs said. “Trustwave has decided to be open about this decision as well as stating that we will no longer enable systems of this type and are effectively ending this short journey into this type of offering.”
The explanation from Trustwave didn’t sit well with everyone, however. Chris Soghoian, a security and privacy researcher, said in a discussion on Mozilla’s Bugzilla system that the mere issuance of the one certificate shows the existence of a problem.
“The most important detail to focus on, is that Trustwave knew when it issued the certificate that it would be used to sign certificates for websites not owned by Trustwave’s corporate customer. That is, Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic. This is very very different than the usual argument that is used to justify ‘legitimate’ intermediate certificates: the corporate customer wants to generate lots of certs for internal servers that it owns. Regardless of the fact that Trustwave has since realized that this is not a good business practice to be engaged in, the damage is done,” Soghoian wrote.
There’s no set date for when Wilson plans to send the letter to the CAs, but the companies likely will have about two months in which to comply with the mandates in the communication.