I cannot understand why there's so much discussion about SSL/TLS cert compromises, loads of speculation about Verizon's security issues and their CA operation, yet virtually no concern over this.<p>Trustwave may have taken steps to limit the risk of their action, but the fact remains that they gave a private company the ability to launch a perfect MITM attack - and they state that it is "common practice" amongst "many of our peers in the industry".<p>As mukyu notes, a corporation can easily do this today with an in-house CA, but that's visible to their users - Trustwave enabled them to have an invisible MITM, detectable only if someone collected certs inside the proxy and compared them with those outside, or used some form of certificate pinning. That's perfectly aligned with the goal of "Data Loss Prevention" - the customer wanted to catch employees stealing corporate data, and didn't want them to know that they were being spied on.<p>I'd argue that this behavior is much worse than simple sloppiness, because the CA is making a conscious business decision that puts the integrity of the PKI system at risk. And if what Trustwave says is true, with "many" other CAs offering the same product, it's unlikely that we can fix this by simply pulling certs out of the browser caches.
For context: <a href="http://comments.gmane.org/gmane.comp.security.ssl.observatory/152" rel="nofollow">http://comments.gmane.org/gmane.comp.security.ssl.observator...</a><p>Basically, a CA gave someone a cert that allows them to make and sign their own certs (for any domain) for the express purpose of allowing them to snoop on all ssl traffic on their network. They even imply that other CAs have and will do the same (even though they apparently changed their minds about allowing it). We need not worry about CAs being incompetent (see comodo and other issues) when they will intentionally engage in undermining the entire PKI system.<p>Note that a corporate entity that really wanted to do this could just as easily make their own root cert and install it on all of the devices they control and accomplish the same goal without endangering the entire system.