[cryptography] how many MITM-enabling sub-roots chain up to public-facing CAs ?

Thor Lancelot Simon tls at panix.com
Tue Feb 14 14:32:04 EST 2012

On Tue, Feb 14, 2012 at 03:51:16PM +0100, Ralph Holz wrote:
> Hi,
> > Well I am not sure how they can hope to go very far underground.  Any and
> > all users on their internal network could easily detect and anonymously
> > report the mitm cert for some public web site with out any significant risk
> > of it being tracked back to them.  Game over.  So removal of one CA from a
> > major browser like mozilla would pretty much end this practice if it is
> > true
> > that any CAs other than trustwave actually did this...
> If all users used a tool like Crossbear that does automatic reporting,
> yes.

Not really -- and this I think goes to the root of why what was done here
is so evil.

It is common practice on many networks in certain industries to deploy
SSL MITM devices which terminate, decrypt, examine, and reencrypt all
traffic.  However, the usual way to do this is to generate a new CA
certificate for the MITM device and load it into all the systems expected
to be connected to the network in question as a trusted root.

In this case, the owner of the network has chosen, by policy, to not
allow devices to perform SSL unless they trust the network's own CA,
and that CA has an effective policy which expressly allows it to
facilitate MITM of SSL traffic.  I do not find this unreasonable for
certain environments, and if users choose to bring their private devices
onto those networks, they have to take a positive step to facilitate
this examination of their traffic -- they have to install the MITM CA's
certificate as a trusted root.

But what Trustwave did is very, very different.  They sold a sub-root
that seems almost tailor-made to deceive users into thinking that MITM
was *not* taking place.  After all, if the intent were not to deceive
the network's users, the usual solution (where the client node's
administrator must accept the MITM device's CA) would have sufficed.

If the intent was not (primarily) to deceive but rather to allow MITM
device deployment with less administrative hassle, I can say only
these things:

	A) It might be easier for me to get petty cash for my legitimate
	   business purposes by mugging people in the street than by
	   filling out corporate paperwork but that does not make it OK
	   to mug people in the street.

	B) If we are to believe Trustwave's claims about how they
	   secured and audited the device on which this CA's keys were
	   stored, is it really plausible that this was done for ease
	   of administration, compared to the "standard" solution?

It is not so hard really to see the conceptual difference between the two
cases.  But to tools like Crossbear, they basically look the same.

Bad, bad, bad.


P.S. If one really wanted to know what CAs were in the business of selling
     these, one might try using any leverage one had handy to press the
     manufacturers of the MITM devices, who very likely know because their
     support or engineering personnel will have seen it in the field.  I
     can think of some pretty simple ways Mozilla could seek to obtain
     this information from the device manufacturers, if Mozilla wanted to
     play hardball.

More information about the cryptography mailing list