Trustwave

[Jeffrey Walton]

Hi All,

I was dismayed to see that my local Firefox was not updated today
(Friday, February 10, 2012) to remove Trustwave. Apparently, it
warrants some talking points.

1) Trustwave chose to operate in an industry where trust is a
commodity. No one forced them into the arena.

2) Trustwave willfully and knowingly subverted PKI, on which millions
of folks around the world depend upon. Past performance is a great
indicator of future expectations, so it will probably do it again (if
given the chance).

3) Trustwave's gross negligence stemmed out of corporate greed. There
was a total disregard for users of the system who depend upon
integrity of operators; and total disregard for shareholder's best
interest.

5) Trustwave's claim that it somehow ethically subverted the system is
laughable. It’s like the Nazi's saying they ethically exterminated the
Jews and other undesirables by shooting them in the back of the head
so they would fall face first into a ditch. Who here would claim the
treatment was moral and ethical, the deaths were painless, and trauma
to the solders was minimized because the victims fell into a ditch?

6) Trustwave's security policy does not state it willfully and
knowingly subverts the PKI system, which is a material omission of
fact.

7) A crime against one is a crime against all. All users are subject
to these sorts of deceptive practices by Trustwave, and not one narrow
set of users. How many other unreported incidents have occurred?

As a fellow who works in application security, here are a few
additional observations about the company. I speak for myself, and not
the folks for whom I work.

A) The company operates in a near perpetual state of conflict of
interests. Trustwave sells hardware and solutions, and then performs
the audits on integrated systems. It’s not surprising their integrated
solutions have no findings, yet fail miserably when audited by an
independent third party.

B) Trustwave's PCI/DSS auditing leaves something to be desired. The
company appears to be very accommodating, fostering an Arthur Andersen/
Enron-like relationship with its clients. Feature gap analysis between
Trustwave's findings and independent third parties will often result
in non-trivial differences in compliance.

I'm appalled and befuddled that Mozilla even needs to debate these
issues. Trustwave has proven itself to be untrustworthy, and free
market economics dictates that the industry self-correct by dropping
these folks. I'm shocked the Mozilla Foundation has chosen to reward
the grossly negligent behavior by continuing the company's inclusion.

Jeffrey Walton
Baltimore, MD, US

[Peter Gutmann]

Jeffrey Walton <nolo...@gmail.com> writes:

>2) Trustwave willfully and knowingly subverted PKI, on which millions of
>folks around the world depend upon. Past performance is a great indicator of
>future expectations, so it will probably do it again (if given the chance).

As opposed to CAs who sell certificates to the Russian mafia?

>3) Trustwave's gross negligence stemmed out of corporate greed. There was a
>total disregard for users of the system who depend upon integrity of
>operators; and total disregard for shareholder's best interest.

Ditto.

>6) Trustwave's security policy does not state it willfully and knowingly
>subverts the PKI system, which is a material omission of fact.

Ditto.

[etc ad nauseum]

CAs are in the business of selling padlocks, not guaranteeing security for
users (e.g. that it's safe to enter your credit card details, or whatever
security goals the user has). As long as you remember that that's all they
do, and take steps to accomodate that, then you'll be fine.

Peter.

[ArkanoiD]

On Sat, Feb 11, 2012 at 06:52:39PM +1300, Peter Gutmann wrote:
> Jeffrey Walton <nolo...@gmail.com> writes:
>
> >2) Trustwave willfully and knowingly subverted PKI, on which millions of
> >folks around the world depend upon. Past performance is a great indicator of
> >future expectations, so it will probably do it again (if given the chance).
>
> As opposed to CAs who sell certificates to the Russian mafia?
>

You do mean some specific business? Actually every commercial CA sells certificates to the Russian mafia just because Russian mafia usually does not reveal itself as such.

[Peter Gutmann]

These sites were dealing in stolen credit cards, bank accounts, DoS services,
drops, money mules, and so on, it doesn't take Sherlock Holmes to figure out
that they're up to no good. In other words the CAs were busy selling padlocks
to the very people that they're supposed to be protecting us from. If
Trustwave "deserves" to be removed for misbehaviour than these other CAs
should be entered into the running as well.

I don't want to divert this into a whose-CA-is-most-broken debate, just
pointing out that if you assume that the padlock doesn't assure you of much,
you won't be disappointed. If you're worried about government MITMs then you
need to use something a helluva lot better than browser PKI.

Peter.

[Tim Moses]

If you have evidence for these statements, why aren't you sharing it? Otherwise, the more critical readers may eventually tire of the unsupported innuendo.



On Feb 11, 2012, at 4:45 AM, "Peter Gutmann" <pgu...@cs.auckland.ac.nz> wrote:

8<

>
> These sites were dealing in stolen credit cards, bank accounts, DoS services,
> drops, money mules, and so on, it doesn't take Sherlock Holmes to figure out
> that they're up to no good. In other words the CAs were busy selling padlocks
> to the very people that they're supposed to be protecting us from. If
> Trustwave "deserves" to be removed for misbehaviour than these other CAs
> should be entered into the running as well.
>

8<

[ianG]

On 12/02/12 03:41 AM, Tim Moses wrote:
> If you have evidence for these statements, why aren't you sharing it? Otherwise, the more critical readers may eventually tire of the unsupported innuendo.

I saw them when Peter first proposed them on Mozilla lists. I tried to
raise a stink at Mozilla. I failed (normal).

The one I looked at was clearly a trading site for stolen card data,
secured by certificates issued by CAs that are listed with major
vendors. I.e., in the business of stealing from Mozilla's customers,
c.f., reasonable man test.

http://financialcryptography.com/mt/archives/001328.html

I might be wrong, but those in the debate denied the cause of the
complaint at the time. You can draw your own line...

iang

> On Feb 11, 2012, at 4:45 AM, "Peter Gutmann"<pgu...@cs.auckland.ac.nz> wrote:
>
> 8<
>>
>> These sites were dealing in stolen credit cards, bank accounts, DoS services,
>> drops, money mules, and so on, it doesn't take Sherlock Holmes to figure out
>> that they're up to no good. In other words the CAs were busy selling padlocks
>> to the very people that they're supposed to be protecting us from. If
>> Trustwave "deserves" to be removed for misbehaviour than these other CAs
>> should be entered into the running as well.
>>
> 8<

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[Eddy Nigg]

On 02/12/2012 01:03 AM, From ianG:
> http://financialcryptography.com/mt/archives/001328.html

Oh oh....the issue is probably much simpler than you pretend it to be
and much less exciting and smearing.

Somebody simply hasn't done his homework and nobody requested revocation
of this certificate accompanied with supporting evidence that would have
allowed us to consider revocation. We are a certificate authority that
in this case confirmed that the host names referenced in the certificate
are under control of the applicant.

We are not a judge, law enforcement or police and we'll not sign up on
every user forum just to check if there might be some unlawful activity
(and under which jurisdiction anyway). We also will not revoke a
certificate just because Peter doesn't likes a particular site and
mentions it in a forum or mailing list, except in case an obvious
mistake has happened with the issuance of such a certificate and which
we can confirm accordingly.

As a by-note, we receive from time to time revocation requests from
Spamhaus and similar organizations and projects, with it they provide
clear evidence of the issue (usually malware) which we can easily verify
and so far every request we could confirm was promptly honored. We honor
such requests usually where the necessary evidence has been provided.
The email address for revocation requests is certm...@startcom.org
just in case you ever need it.

I know it's boring :-(

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

[Tim Moses]

I followed the link. What a joke! What do you do if you spot a crime in progress? Why? Post a blog, of course.

I've worked with Eddy for several years. And the suggestion that he is a criminal is laughable and defamatory.

According to statements made on the thread, ALL commercial CAs are criminal.

Do the priest and his accolytes purport to be scientists? All I see is lazy, unscientific, cynicism.

[ianG]

Right, thank you. So Peter's claim is supported. What is good for the
goose is good for the gander.

To spell it out, Trustwave have already presented much the same
argument: they followed their procedures, they audited the site, and
they ensured that provisions of CPS and policy were good. QED.

Beyond that, there is only moral outrage, and as business people we
should learn to not be tripped up by it.

iang

PS: just a reminder, I'm Peter-devil's advocate, and the argument is the
issue, not personalities.

[Eddy Nigg]

On 02/12/2012 04:26 AM, From ianG:

> Right, thank you. So Peter's claim is supported. What is good for
> the goose is good for the gander.
>
> To spell it out, Trustwave have already presented much the same
> argument: they followed their procedures, they audited the site, and
> they ensured that provisions of CPS and policy were good. QED.
>

There is a clear policy under which circumstances certificate
authorities can issue certificates - Trustwave has not complied to this
policy.

There is however NO policy that requires to jump the gun on ever whim
from every corner about an issued certificate. If you think that's
unreasonable, please convince the audience to change the (Mozilla CA)
policy. Until then, it's our policy that counts which is IMO reasonable
and with which we also have a good track record.

[ianG]

On 12/02/12 13:23 PM, Tim Moses wrote:
> I followed the link. What a joke! What do you do if you spot a crime in progress? Why? Post a blog, of course.

Actually, no, read the words. We tried to raise a stink at the time.
From memory, Mozilla did not respond. They never do when it is
legal/liability.

Sure, a few CAs responded (Eddy always does). But it isn't about one
CA. It is about the system of CAs - the other CAs were also doing the
same thing.

All that was left was to record the frustration. And move on.

> I've worked with Eddy for several years. And the suggestion that he is a criminal is laughable and defamatory.
>
> According to statements made on the thread, ALL commercial CAs are criminal.

lol... attack the claim at its premises and logic, not at whatever
salacious conclusion. That's the scientific thing :)

If a carding site is protected by an SSL certificate, is that a
certificate protecting a criminal site?

Is that certificate then participating in an unlawful activity?

And, if notified of this, does a CA feel obliged to do something?

or not?



The case at the time was that CAs seemed to decide not to do something
in that case. Mozilla seemed to agree by silence.

So the conclusion is the libertarian one: phishing, carding and such
things are adult behaviour and everyone should defend themselves. Now
look at Peter's claim about Trustwave.

> Do the priest and his accolytes purport to be scientists? All I see is lazy, unscientific, cynicism.

Big words, Tim.

So answer the question: what is your opinion on certificates being used
by criminal enterprises?

OK, don't stress yourself. Let's ask Symantec:

(iv) the Certificate information you provided (including your email
address) has not been and will not be used for any unlawful purpose;

http://www.verisign.com/repository/agreements/serverClass3Org.html

[ianG]

On 12/02/12 13:44 PM, Eddy Nigg wrote:
> On 02/12/2012 04:26 AM, From ianG:

>> Right, thank you. So Peter's claim is supported. What is good for the
>> goose is good for the gander.
>>
>> To spell it out, Trustwave have already presented much the same
>> argument: they followed their procedures, they audited the site, and
>> they ensured that provisions of CPS and policy were good. QED.
>>
>

> There is a clear policy under which circumstances certificate
> authorities can issue certificates - Trustwave has not complied to this
> policy.

I reckon they'll win their claim in court, that they haven't breached
the policy.

> There is however NO policy that requires to jump the gun on ever whim
> from every corner about an issued certificate. If you think that's
> unreasonable, please convince the audience to change the (Mozilla CA)
> policy. Until then, it's our policy that counts which is IMO reasonable
> and with which we also have a good track record.
>

It isn't in the policy, correct. It doesn't need to be.

iang

[Eddy Nigg]

On 02/12/2012 05:01 AM, From ianG:

> I reckon they'll win their claim in court, that they haven't breached
> the policy.

1 + 1 = 5

OK, whatever you say...

> It isn't in the policy, correct. It doesn't need to be.
>

So why bring it up then? :-(

PS. Between you and me, the certificate was provided free of charge,
courtesy of StartCom. So you can strike that 200 $ thing there in your
article... :-)

[Peter Gutmann]

Tim Moses <tim....@entrust.com> writes:

>If you have evidence for these statements, why aren't you sharing it?
>Otherwise, the more critical readers may eventually tire of the unsupported
>innuendo.

Oh good grief, I wouldn't be saying it if there wasn't evidence, see e.g. the
screenshots at the start of
http://www.cs.auckland.ac.nz/~pgut001/pubs/prot_browser_users.pdf, and that
was just from about five minutes of searching.

Oh, and this has also been shared before. The CA response was "all we're
resonsible for is certifying a binding between key and domain name".

Peter.

[Peter Gutmann]

Eddy Nigg <eddy...@startcom.org> writes:

>Somebody simply hasn't done his homework and nobody requested revocation of
>this certificate accompanied with supporting evidence that would have allowed
>us to consider revocation.

When this has been tried before by multiple anti-virus companies trying to get
malware-signing certs revoked, the CAs responsible weren't interested, except
for:

The one exception to this rule was when Symantec (the anti-virus company)
reported a stolen certificate issued by Symantec (the CA) being used to sign
malware, in which case it was promptly revoked [291]. Requiring that the
anti-virus vendor who wants a certificate revoked also own the CA that
issued it in the first place doesn.t appear to be a scalable solution
though.

Beside which, why are Internet users expected to act as a cleanup crew for the
failings of CAs? These certs should never have been sold to the crooks in the
first place.

(And at this point the CAs respond with "it's not our job to check this, we
simply verify the binding between key and domain name", to which others
respond "then why do we need CAs in the first place?" and then the CAs respond
... and the merry-go-round continues as before).

Peter.

[ArkanoiD]

And they are obviously right. It is not CA's business to decide what is right
and what is wrong until it is related to identity issues. And the reason for that is obvious:
people are different, laws are different and I do not ever want any CA to step into a grey area
where certificate may be revoked because it belongs to site that is found to be "offensive" to
some large and influencial group of people (religious, governmental, corporate, whatever).

And I really doubt revoking any "criminal" yet "authentic" certificates may bring us any positive change to the landscape.
I think those guys do not really care much.

On Sun, Feb 12, 2012 at 08:45:26PM +1300, Peter Gutmann wrote:
>
> Oh, and this has also been shared before. The CA response was "all we're

> resonsible for is certifying a binding between key and domain name".
>

[ianG]

As a long-term libertarian (an austrian really) I'm totally fine with
the concept. There's only two slight wrinkles that I see:

* vendors' customers are attacked by these guys, and SSL was invented
to deal with that. So the vendors are on a sticky wicket.

* don't ever use the word "trust" and you'll be fine. I'm not being
snarky or anything, it's straight forward marketing. Customers won't
trust you if you also sell to their sworn blood enemy. Most all
customers aren't libertarians.

iang

[Eddy Nigg]

On 02/12/2012 09:55 AM, From Peter Gutmann:

> When this has been tried before by multiple anti-virus companies trying to get
> malware-signing certs revoked

Obviously I can't comment on other CAs...

> Beside which, why are Internet users expected to act as a cleanup crew for the
> failings of CAs? These certs should never have been sold to the crooks in the
> first place.

So who decides that somebody is a crook? Are Iranian dissidents crooks?
It depends who you ask. Were the folks from megaupload crooks? It
depends who you ask. Are the EFF crooks? It depends who you ask.

Again, without providing some evidence attesting to cause damage to the
casual Internet user as a result of using a certificate, we can't do
that much except it's very obvious a mistake from OUR side. Otherwise
you going down a really very slippery road....

(Of course I understand your concern, but the solution isn't always that
easy and maybe not always to your preference no matter how much sucks
sometimes.)

[Gervase Markham]

On 12/02/12 17:17, Eddy Nigg wrote:
> So who decides that somebody is a crook? Are Iranian dissidents crooks?
> It depends who you ask. Were the folks from megaupload crooks? It
> depends who you ask. Are the EFF crooks? It depends who you ask.

And this is why my position (and quite likely Mozilla's position) is
that certificates are about identity, not "goodness". If you want CAs to
verify that all activities a company or individual undertakes are
legitimate in $JURISDICTION before they issue a cert, then there would
be far fewer certs issued and they'd be a lot more expensive. Not, I
would suggest, a change which would be a win for internet security as it
stands today.

Gerv

[Peter Gutmann]

Gervase Markham <ge...@mozilla.org> writes:

>And this is why my position (and quite likely Mozilla's position) is that
>certificates are about identity, not "goodness".

And now we've reached step 3 of the eternal roundabout that I documented
earlier. Someone want to move us to step 4?

Peter.

[ianG]

On 15/02/12 01:59 AM, Gervase Markham wrote:
> On 12/02/12 17:17, Eddy Nigg wrote:

>> So who decides that somebody is a crook? Are Iranian dissidents crooks?
>> It depends who you ask. Were the folks from megaupload crooks? It
>> depends who you ask. Are the EFF crooks? It depends who you ask.
>

> And this is why my position (and quite likely Mozilla's position) is
> that certificates are about identity, not "goodness".

In which case there is no problem because TrustWave didn't change the
identities of the parties, they still had the their communication.

On the other hand, if the problem is about trust, as used in the title
of BR, it is something completely different. We "trust" a CA to stop
the MITM. We trust a CA to defend us from spear phishing attacks as
apparently happened a month back. We trust a CA to participate in the
Internet's security problems, where they seem to relate.

Or we don't.

> If you want CAs to
> verify that all activities a company or individual undertakes are
> legitimate in $JURISDICTION before they issue a cert, then there would
> be far fewer certs issued and they'd be a lot more expensive. Not, I
> would suggest, a change which would be a win for internet security as it
> stands today.

Sounds like EV.

I mean, it's fine, if identity is what it is about, and a CA can stick
to that line for longer than a minute.

But users won't trust people who *just do identity* and then can't even
get that part straight. If identity is all that is on offer, we may as
well code Convergence or Crossbear into Firefox.



iang