An SSL proxy like Bluecoat achieves the above goal of MITM’ing corporate SSL sessions byġ)Installing a new Trusted Root Cert on all corporate PCsĢ)Using the key for that Cert to sign a faked certificate for all outbound SSL traffic However, the correct way to implement this is the exact opposite of what Trustwave has done. A malware C&C channel, a way to exfiltrate corporate data etc. SSL/TLS can be used to tunnel… well anything really. I can see why companies would want to be able to man-in-the-middle outbound connections from their own corporate network. Google has recently said that Chrome may stop checking revocation lists from CAs:īackground info on CAs and certificates if you don’t understand all this stuff: Reply View in chronology Certificate revocation is basically the “least bad” option right now. Unfortunately, revoking the bogus cert doesn’t really deal with the issue. While Trustwave’s original actions are very distasteful, I do have to give them credit for coming clean. Hopefully it will shine a light on other CAs doing the same thing. Why would Trustwave have a specially designed hardware solution that could handle this? Sure, the hardware and software has legitimate uses, but someone from Trustwave really had to configure or program this to function well – and either that means they already had this capability, or spent a lot of effort for this single (yet unnamed) client. I’m not sure if it could be called common, but it is highly suspected by many security professionals that this is not an isolated instance. On top of that, there’s no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security. ![]() In the end, this is a significant reminder that certificate-based security systems have serious weaknesses, and that the certificate authorities might not always be trustworthy…įiled Under: certificate authorities, man in the middle, privacy, secure certificates, security, ssl Thanks to Trustwave’s deal with this (unnamed) company, that was not the case. In a world where people have perfectly valid reasons for using private personal internet services from the workplace, they should be able to trust that those connections are secure. Considering this certificate was issued for “loss prevention,” it’s not hard to guess how it was used.Įither way, it’s pretty scary that Trustwave would think it was a reasonable move to allow this kind of activity, no matter how carefully the company believes it was set up. But, while it was out there, it basically allowed this company to effectively spy on employee activities, allowing the company to do man-in-the-middle attacks, as employees logged into private (“encrypted”) accounts from their own devices, and see what they were doing. They insist that the structure was limited so that it could only be used internally on the network. Trustwave has admitted to all this after revoking the certificate. Basically, it gave a company the ability to do any kind of man-in-the-middle attack it wanted on employees. But what if one did? Certificate authority Trustwave has admitted that it issued a certificate to a company that allowed it to issue “valid” certs for any server. ![]() Of course, the protection against that was supposed to be that a certificate authority wouldn’t do that. We’ve pointed out for years that the whole structure of SSL certificate-based security is open to attack via man-in-the-middle attacks… if you can somehow get a certificate authority to grant you a fake certificate.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |