A Case of Broken Trustico
On March 1, the Croydon, UK based SSL/TLS cert reseller Trustico made headlines in what could quite possibly be one of the most convoluted and worst-case scenarios for website security.
The firm had devised a plan to rid its customers of all of Symantec and its subsidiaries certificates, which also includes GeoTrust, Thawte, and RapidSSL certs. This particular set of SSL certificates had recently all been handled by DigiCert, and Trustico planned on replacing these with Comodo issued certificates (which may or may not be as secure due to recent events). This plan aligns exactly with the future plans where Google chrome and Mozilla teams will perma-ban all Symantec certificates due to some shady issues in the past.
DigiCert pushed back and told the head of Trustico that certificate revocation could only happen in specific cases. When asked to explain further, the Chief Product Officer of DigiCert communicated that this kind of revocation typically happens only when certificates have been compromised. Playing off of the compromised card, Trustico pounced on the opportunity. So naturally and nonchalantly Trustico produces evidence of a “compromise” – by sending DigiCert a copy of all 23,000 customer private keys.
In a flurry of ‘he said she said’ chaos, both companies took their arguments to Mozilla’s security policy news group which then ultimately spilled over onto Twitter, and the rest is potential Pwnie award fuel.
DigiCert responded by issuing alerts to its customers detailing the compromise of their certificates, which Trustico verified that these private keys (which checked out according to customers who were privy to the email contents) were all obtained via ‘cold storage’. Naturally (and appropriately) customers freaked out.
The very fact that Trustico had copies of these private keys, and that these private keys were able (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Blog. Read the original post at: Cylance Blog