The problem is not with SSL, but with the centralized CA model... many or all of those CAs simply aren't as trustworthy as one might like to believe.
Regardless, this is foul, foul stuff, issuing an any-purpose cert to a third party for snooping on their employees. Normally in this kind of police-state company environment, the organization sets up its own CA and propagates its cert to devices. But MITM'ing with the help of a CA in the common trust list... ugh. I'd note that Chrome is resistant to this sort of chicanery, with the ability to tie domains to certain issuers. E.g., Chrome can reject an otherwise verifiable and valid cert for google.com if it's not from a very restricted set of signers. --Steve On Tue, Feb 7, 2012 at 6:41 PM, Kurt Buff <[email protected]> wrote: > And not necessarily a lot of protection, either. > > Kurt > > ---------- Forwarded message ---------- > From: "Jim Ausman" <[email protected]> > Date: Feb 7, 2012 4:49 PM > Subject: A Certificate Authority "Man-in-the-middle" attack corporate > attack in the wild > To: <[email protected]> > > Dave, > > For IP, if you wish > > Trustwave, a CA authority, issued a certificate that allowed the owner > to issue any valid certificate to facilitate man-in-the-middle attacks > on their employees. > > http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html > > They say that they used a special hardware container to ensure that > this could not be used for anything other than the intended purpose, > but this still indicates that a long-suspected weakness in the CA > infrastructure is being exploited to eavesdrop on traffic. > > http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html > > EFF sent out an alert about the fact that Iran was doing this a few > months ago, but this is the first I have heard of a corporation doing > it. > > https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google > > Cheers, > Jim > Archives | Modify Your Subscription | Unsubscribe Now > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
