Digital security is an increasingly important part of any midsize business IT strategy, and IT admins have the unenviable job of making sure users are correctly accessing services and taking the heat if something goes wrong. Part of ensuring a company's network is secure comes from using a digital certificate for transactions or messages to verify the identity of both sender and receiver; these are issued by certificate authorities (CAs) for private use. Recently, however, CA Trustwave found itself in trouble with the Mozilla community for issuing a subordinate root certificate to a business that allowed it to examine all secure sockets layer (SSL) protected connections in its network.

The Root of the Problem

On February 7, 2012, the first reports of this subordinate certificate showed up on Mozilla's bug tracker. Upset that the Trustwave issued a subordinate root certificate to essentially act as a "man in the middle" prompted some of the concerns, but more important was that Trustwave has a root certificate in Firefox. Now, the Mozilla community is debating whether or not to revoke that root certificate because Trustwave's potential breach of the Mozilla CA Certificate Policy.

Trustwave says that while they did issue a digital certificate that allowed a private company to access all SSL connections on its network, it was meant for use within a data loss prevention system, according to an InfoWorld article published the following day. The CA did take steps that prevented the root from being extracted by using a Hardware Security Module and performed audits to ensure that it was not possible to intercept or decrypt any SSL traffic from another network.

Brian Trzupek, the company's vice president for managed identity and authentication, said, "[Trustwave] did not create a system where the customer could generate ad-hoc SSL certificates and extract the private keys to be used outside this device."

The Issue Branches Out

In response to the subordinate root issue, Trustwave revoked the certificate it gave to the "unnamed private company" and won't issue any more, according to a recent Spider Labs blog post. The company also made sure to clarify again that they issued the certificate for a private internal corporate network and not a government agency, Internet service provider (ISP), or any law enforcement agency. Unfortunately, even the idea that such a certificate could exist and be used with such a broad scope has added fuel to the fire. Calum McLeod of certificate and digital key management company Venafi says that issuing certificates similar to the one signed by Trustwave is "a common industry practice," and that "just because Trustwave did not issue a subordinate root certificate to a government, an ISP or a law enforcement agency, does not mean that other CAs haven't done so."

For midsize business IT, the CA issue carries with it a number of warnings. The first is that despite security measures taken, there is always the possibility that broad-spectrum access such as that allowed by Trustwave could be given to an internal review body or even an outside agency. Second, solid security measures for IT department lie ultimately at the local level--even those tasked with providing secure and encrypted transmissions do not always hold fast to their own security standards.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.