Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Trustwave Explains Subordinate Certificate Logic

Trustwave captured the public’s attention over the weekend, when its policy regarding subordinate root certificates led to the discovery that one of its customers used them to monitor their employee’s SSL communications. Reacting to the public’s ire, Trustwave explained the incident on its company blog, and promised to end the practice moving forward.

Trustwave captured the public’s attention over the weekend, when its policy regarding subordinate root certificates led to the discovery that one of its customers used them to monitor their employee’s SSL communications. Reacting to the public’s ire, Trustwave explained the incident on its company blog, and promised to end the practice moving forward.

A subordinate root certificate can allow the company who owns it to sign digital certificates for just about any domain on the Internet. While they are a known factor in the world of SSL, such things are rarely issued on a whim, simply because of the risks involved should they ever be compromised.

In this case, an unknown company was provided subordinate root certificate for the sole purpose of monitoring their internal network. Trustwave made sure to point out that the company was a private business and in no way did they issue such a certificate to a government entity, ISP or law enforcement agency. The subordinate itself was stringent with security measures, including a physical security assessment by Trustwave.

“It was to be used within a private network within a data loss prevention (DLP) system,” the company said on its blog.

The system designed for the customer used dedicated hardware designed for SSL proxy and acceleration, along with a FIPS-140-2 Level 3 compliant Hardware Security Module (HSM) for subordinate root storage, Trustwave explained. Again, this was done to provide their customer with the means for private key generation of the re-signed SSL certificates.

“Trustwave has decided to be open about this decision as well as stating that we will no longer enable systems of this type and are effectively ending this short journey into this type of offering,” the blog added.

Such a set-up would have allowed the company to monitor their network traffic, and see what their employees were up to, even if the Internet traffic was over SSL. This would have included visits to GMail, Facebook, and other SSL protected destinations on the Web that employees are often prone to visit during the working day.

In addition, with regards to security, generating their own SSL for a given domain would have allowed the company’s DLP policy’s to flag instances of sensitive work being emailed or stored offsite.

Advertisement. Scroll to continue reading.

While Trustwave has stated that they will no longer offer such power to a private company, nor will they consider such a solution in the future, the question that remains in the aftermath of the incident focuses on the other CAs. Have they issued subordinate roots before, and if so, were they issued to ISPs, governments, or law enforcement?

As one would expect, other CAs are silent on the issue.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture