Trustwave would probably prefer us all to be discussing their new data breach analysis report they issued this week. Instead, they are getting a lot of negative press over a man-in-the-middle certificate they issued that allowed a firm to snoop on its employees’ e-mail. John Leyden of The Register explains:
Certificate Authority Trustwave has revoked a digital certificate that allowed one of its clients to issue valid certificates for any server, thereby allowing one of its customers to intercept their employees’ private email communication.
The skeleton-key CA certificate was supplied in a tamper-proof hardware security module (HSM) designed to be used within a data loss prevention (DLP) system. DLP systems are designed to block the accidental or deliberate leaking of company secrets or confidential information.
Using the system, a user’s browser or email client would be fooled into thinking it was talking over a secure encrypted link to Gmail, Skype or Hotmail. In reality it was talking to a server on the firm’s premises that tapped into communications before relaying them to the genuine server. The DLP system needed to be able to issue different digital certificates from different services on the fly to pull off this approach, which amounts to a man-in-the-middle attack.
Read more on The Register.