"I don't have enough experience with Checkpoint firewalls, but after looking at the details, this seems like a plausible scenario," Robert Graham, the CEO of security firm Errata Security, said Thursday in a blog post. "It's quite possible that the MitM was essentially accidental."
Other people are not that convinced that this was an accident. "Why would a certificate intended for end-entity SSL use (albeit actually enabled for CA use) be installed on a 'firewall'? What was the system administrator's intent?," Stephen Schultze, the associate director of the Center for Information Technology Policy at Princeton University, asked late Thursday on a Mozilla mailing list where the incident is being discussed.
"On what network was this Checkpoint device installed, and what set of users were being MITM'ed? Specific IP [Internet Protocol] blocks would be helpful," Schultze said in response to a message posted on the list by Mert Ozarar, project manager at Turktrust.
"We are certainly not in position to answer these questions to full extent," Turktrust said in a response posted Friday on the same mailing list. "However, it is almost apparent that the agency has wanted to configure the firewall as a MITM proxy for their internal users. Our thorough OCSP [Online Certificate Status Protocol] analysis has also supported this in the sense that almost 96% of OCSP requests stemmed from the EGO domain."
The situation unfolded when EGO changed their firewall vendor and device model, Turktrust said. "Odds are too low that there is a malicious intent on their side. There is also no evidence at all of any other malicious use of the faulty cert."
In response to questions sent via email on Friday, a Turktrust spokesman advised this reporter to follow the discussion on the Mozilla mailing list and ask any questions there so they can be seen by the community.
Some people have called for browser vendors to revoke their trust in Turktrust's root CA certificates, a harsh punishment that was taken before in the case of former Dutch certificate authority DigiNotar that filed for bankruptcy after its own root CA certificates were removed from browsers as a result of a serious security breach on its systems.