Trustwave admits issuing 'man-in-the-middle' digital certificate - Oops!

Update: Trustwave admits issuing ‘man-in-the-middle’ digital …

Clarifying The Trustwave CA Policy Update - SpiderLabs Anterior

Bug 724929 – Remove Trustwave Certificate ( s) from trusted root …

Confused. On reading the URL’s this doesn’t quite seem to be what the headlines or bug report imply/says it was. Specifically the Mozilla bug report says…

Trustwave issued a subordinate root certificate to a company, therefore enabling the company to issue unlimited SSL certificates for any domain/hostname:

source []
… but, that doesn’t seem to be the case at all. The URL cited in the bug report actually says…

.. The system was created using dedicated hardware device designed for SSL proxy and acceleration, with a FIPS-140-2 Level 3 compliant Hardware Security Module (HSM) ( for subordinate root storage and for the purpose of private key generation of the re-signed SSL certificates. This means that once the trusted subordinate root was placed into the device it could not be extracted.

Additionally, when the system would accept an outbound SSL connection from within the customer network, and negotiate the session with the server outside the customers network, the private key for the resulting re-signed SSL certificate (that is presented to the internal network) would be generated in the HSM and only live for the duration of the SSL request. No party had access to the re-signed SSL certificate private keys at any time, nor could they gain access to them. This is what prevented the customer from being able to perform ad hoc issuance of certificate for any domain and use them outside of this hardware and infrastructure. …

source []

Still sounds a little dodgy though.

Critics slam SSL authority for minting certificate for impersonating sites []

Some security experts seem to believe that this practice is wide spread too.

Something really has to change.

When Certificate Authority Business Models and Vendor Certificate Policies Clash

This hasn’t be widely reported on (or at all, that I can find). But, I have been advised, by a knowledgeable and trusted source, that this issue (assuming that I have understood this correctly) might well have wider implications and not just be about the unnamed private customer that Trustwave supplied the Hardware Security Module (HSM) to, or even with the HSM itself, but the actual manufacture/venor of the HSM. Trustwave would have had to issue a subordinate root certificate to someone, at some point, in order that the HSM could be constructed in the first place.

It certainly looks that way Kail. I haven’t been able to find anything concrete, yet, but reading between the lines, here and there, the implication is, that it’s far more serious. I guess we’ll have to wait until there’s full disclosure, assuming that ever happens.