Security Experts:

Trustwave Explains Subordinate Certificate Logic

Trustwave captured the public’s attention over the weekend, when its policy regarding subordinate root certificates led to the discovery that one of its customers used them to monitor their employee’s SSL communications. Reacting to the public’s ire, Trustwave explained the incident on its company blog, and promised to end the practice moving forward.

A subordinate root certificate can allow the company who owns it to sign digital certificates for just about any domain on the Internet. While they are a known factor in the world of SSL, such things are rarely issued on a whim, simply because of the risks involved should they ever be compromised.

In this case, an unknown company was provided subordinate root certificate for the sole purpose of monitoring their internal network. Trustwave made sure to point out that the company was a private business and in no way did they issue such a certificate to a government entity, ISP or law enforcement agency. The subordinate itself was stringent with security measures, including a physical security assessment by Trustwave.

“It was to be used within a private network within a data loss prevention (DLP) system,” the company said on its blog.

The system designed for the customer used dedicated hardware designed for SSL proxy and acceleration, along with a FIPS-140-2 Level 3 compliant Hardware Security Module (HSM) for subordinate root storage, Trustwave explained. Again, this was done to provide their customer with the means for private key generation of the re-signed SSL certificates.

“Trustwave has decided to be open about this decision as well as stating that we will no longer enable systems of this type and are effectively ending this short journey into this type of offering,” the blog added.

Such a set-up would have allowed the company to monitor their network traffic, and see what their employees were up to, even if the Internet traffic was over SSL. This would have included visits to GMail, Facebook, and other SSL protected destinations on the Web that employees are often prone to visit during the working day.

In addition, with regards to security, generating their own SSL for a given domain would have allowed the company’s DLP policy’s to flag instances of sensitive work being emailed or stored offsite.

While Trustwave has stated that they will no longer offer such power to a private company, nor will they consider such a solution in the future, the question that remains in the aftermath of the incident focuses on the other CAs. Have they issued subordinate roots before, and if so, were they issued to ISPs, governments, or law enforcement?

As one would expect, other CAs are silent on the issue.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.