It was recently discovered by the Tor project that a manufacturer of Man-In-The-Middle boxes with SSL interception capability, called Cyberoam, have been embedding the same root certificate in all of their boxes.

Background: SSL is not supposed to be interceptable. The only way to do it is for the intercepting box to be the endpoint of the SSL session and then, after inspecting the traffic, send the information over a different SSL session to the client. Now that we have explicitly banned trusted CAs from facilitating this after the Trustwave incident, the box should not be able to generate its own trusted-by-default certificate for the target site. Instead, it generates a cert which chains up to the box’s own embedded root. Therefore, any user of a network whose owners wish to use a such a box to inspect SSL traffic will have been asked to import whichever root certificate the box uses into their trusted root store, in order to avoid getting security warnings – the very warnings which would otherwise correctly tell you that your communications are being intercepted.

If each box uses a different root certificate, this is not a big problem. (Well, apart from the general issue of having to permit your employer or school to intercept your secure communications.) However, as noted above, Cyberoam uses the same root for all the boxes they manufacture. This root reuse means that sites who have tried to use Cyberoam boxes to punch a small hole in their security for ostensibly reasonable purposes have actually punched a rather larger one.

If you have trusted this root, your communications could potentially be silently intercepted by anyone who owned a Cyberoam box, not just the legitimate owners of the network you were using. This would be true whether you were on that network, or elsewhere (e.g. if you went to another location with your phone or laptop). Furthermore, anyone who purchases a Cyberoam box can try and extract the root (they may have physical security in place, but that’s just a speedbump) and then they don’t even need a Cyberoam box to MITM you.

From reading their online docs, this problem seems to also occur with similar devices from Sonicwall (PDF; page 2) and Fortigate. (Thanks to a commenter on the Tor blog for noticing this.) I suspect that many vendors use this insecure configuration by default.

The Cyberoam default root certificate is not trusted by the Mozilla root store – Cyberoam is not a CA – and we do not plan to take action at this time. However, this is another important lesson in the unintended consequences of intentionally breaking the Internet’s security model. Messing with the Internet security infrastructure breaks things, in unexpected and risky ways. Don’t do it.