CEO of Trustico emails 23,000 HTTPS private keys, triggering panicked mass-revocationOn March 5, 2018 by Maybell
On Tuesday, the CEO of UK certificate reseller Trustico decided to settle an argument with Digicert executive VP Jeremy Rowley by emailing him the private keys for 23,000 TLS certificates that had been issued by Symantec’s disgraced Certificate Authority, to prove they had been compromised.
Symantec was once one of the internet’s leading Certificate Authorities, empowered to issue the cryptographic credentials that secure HTTPS browser sessions and other private communications. They were caught in a series of grievous security shortcomings, thanks to the Certificate Transparency system, which captures and displays nearly every certificate seen in the wild, producing incontrovertible evidence of cheating and incompetence.
Digicert inherited Symantec’s Certificate Authority business; Trustico was once a reseller for Symantec and had issued 50,000 Symantec certificates that the Trustico claimed had been compromised (Trustico is not a Digicert reseller; if the certificates were revoked, Digicert could get 50,000 new paydays by selling certificates from one of its other suppliers). Digicert’s Rowley doubted this, so Trustico’s CEO just emailed him the private keys.
Certificate Authorities are not permitted to retain these keys. Trustico says it kept them in “cold storage,” a meaningless buzzphrase that in no way excuses a major breach of its duty as a reseller for a Certificate Authority.
Trustico’s website went offline shortly after the news of this protocol breach broke; a researcher revealed a serious security flaw in the site that would let attackers gain root privileges on Trustico’s servers and execute arbitrary code.
Prior to the introduction of Certificate Transparency, many security researchers had voiced concern that the practices of Certificate Authorities were inadequately scrutinized and ripe for abuse. Since so much of the internet’s security depends on CAs behaving themselves, and since a single rogue CA could compromise any session or communication, bad conduct among CAs presented a nearly infinite risk to the security of the internet and its users.
“During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised,” the Trustico officials wrote. They continued: “We believe the orders placed via our Symantec account were at risk and were poorly managed. We have been questioning Symantec without response as to concerning items for about a year. Symantec simply ignored our concerns and appeared to bury them under the next issue that arose.”
23,000 HTTPS certificates axed after CEO emails private keys [Dan Goodin/Ars Technica]
The Seasteading Institute is a group of libertarian separatists who dreamed of building an autonomous, contract-governed mini-state on a set of floating platforms in the south Tahiti lagoon of Atimaono; only one problem: they didn’t renew their contract with French Polynesia to build their platforms.
Trump is an excellent businessman and the Republicans are really good with money: if you doubt it, just take a gander at the Urban Institute’s report on the costs and effects of Trumpcare: the US government will spend $33 billion more as a result of GOP policies, and cover 8.9 million fewer Americans, and those […]
Amazon will acquire Ring, the Santa Monica, CA-based home video surveillance maker.
One of the biggest struggles for jet-setter is managing to charge their devices abroad. But, thankfully, the OMNIA TA502 Travel Adapter is here to put an end to that. This pint-sized charger lets you power up your devices in more than 150 countries, and it’s now on sale in the Boing Boing Store. With this travel-sized charger, […]
While many tech innovations tend to follow a boom and bust cycle, it’s safe to say that cloud technology is here to stay. As more companies go digital and leverage data to boost their bottom lines, demand is high for skilled cloud professionals capable of managing it all. The Amazon Web Services Certification Training Mega Bundle […]
We lead busy lives, and while it would be nice to decompress when things get too hectic, our schedules often have different plans for us. The Twisty Glass Mini helps by letting you sneak in a smoke at a moment’s notice, and it’s on sale for $39.99 in the Boing Boing Store.Engineered to hold 0.5 grams […]