[Ed note: After this story was submitted, it became known that there was a remote code execution (RCE) vulnerability on the Trustico web site which allowed malicious users to run arbitrary code as root on the server. Story at Ars Technica: Trustico website goes dark after someone drops critical flaw on Twitter. Link to the tweet. As of the time of this writing, the Trustico web site is unavailable. --martyb]
23,000 HTTPS certs will be axed in next 24 hours after private keys leak
Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours.
This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.
Unless the affected certificates are replaced in time, visitors to websites using Trustico-sold HTTPS certs will be turned away by their browsers, due to the digital certificates being revoked.
The whole situation is a mess, and possibly the result of a turf war. Here's what we've managed to ascertain.
What is Trustico?
Trustico, based in Croydon, UK, touted SSL/TLS certificates, which are used by websites to encrypt and secure their connections. It resold certs from the Symantec brand umbrella: Symantec, GeoTrust, Thawte, and RapidSSL. This umbrella is now owned and operated by DigiCert.
If you wanted to buy, say, a RapidSSL-issued certificate, you could do so via Trustico. The HTTPS cert ultimately leads back, along a chain of trust, to DigiCert, a root certificate authority trusted by web browsers and other software. In turn, a website presenting the Trustico-sold cert is trusted, its traffic secured using encryption, and the reassuring green padlock is displayed in visitors' browsers.
Why are the certificates being revoked?
According to DigiCert's chief product officer Jeremy Rowley earlier today, Trustico told DigiCert in early February that its resold certificates had been in some way "compromised," and that the certs needed to be mass revoked as a result.
DigiCert staff, we're told, asked Trustico for more information on this security mishap. The reseller replied it had a copy of the private keys, which is usually grounds for revocation, and thus insisted that DigiCert revoke the certificates.
When pressed for evidence, Trustico on Wednesday simply emailed DigiCert 23,000 certificates' private keys as proof it held this information, it is claimed. This forced DigiCert's hand: under the rulebook of standards set by the elders of the certificate security and browser worlds, the Trustico-sold certificates had to be revoked as a precaution within 24 hours. Specifically, the ones with their private keys in the email will be canceled.
(Score: 0) by Anonymous Coward on Friday March 02 2018, @12:23AM (8 children)
Apparently someone figured out they were running their web server as root as well earlier today. I think that company is basically done. If you have your cert through them ask for a refund and go elsewhere...
(Score: 5, Insightful) by requerdanos on Friday March 02 2018, @12:37AM
Not only that, but vulnerable to XSS such that you could request that it run arbitrary commands as root and it would happily comply.
According to the Ars story [arstechnica.com], the security researcher that published the vulnerability publicly didn't want to do so on general principle, but Trustico has been threatening to sue people who allege that their security is anything less than super-perfect, and he didn't want to just "allege".
Also, people or companies that sue or who threaten to sue others that see them doing wrong and mention the fact usually deserve everything that comes their way.
(Score: 4, Insightful) by NewNic on Friday March 02 2018, @12:55AM (6 children)
Let's Encrypt works well and the price is right!
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 4, Interesting) by requerdanos on Friday March 02 2018, @01:59AM (5 children)
Not only that, but installing it from scratch on your* server takes less than five minutes from start to finish.
"The Secret" to installing Let's Encrypt! Is to install certbot [eff.org], and run it, and it does everything for you. All you do is answer a few easy questions and watch it start working**.
- Gets you a certificate for Apache or Nginx
- Installs it
- Sets up a cron job to auto-renew your certificate
- Optionally (it asks you) configures your domain to forward all http requests to https
Just that simple.
-----
* "your" server is one on which you have a root shell. http://lowendbox.com [lowendbox.com] knows where you can get one for pocket change.
** subject to terms and provisions of murphy's law
(Score: 0) by Anonymous Coward on Friday March 02 2018, @08:19AM (4 children)
You forgot a few steps there.
1: Download random software from untrustworthy website[1]
2: Install random software.
3: Buy and install antivirus software.
4: Lose fight against malware.
5: Reinstall.
6: Admit that downloading random software from untrustworthy websites is exactly what we've been warning Windows users about since Windows 95.
[1] Any websites that recommends downloading random software from an untrusted website is automatically untrustworthy. That their protocol is so deliberately complicated to make it futile to try writing a simple shell script so that people are forced to download their untrustworthy software just makes it worse.
(Score: 2) by KiloByte on Friday March 02 2018, @08:30AM
You mean [debian.org]? A client much better than the official one; here's [angband.pl] my doc.
Ceterum censeo systemd esse delendam.
(Score: 2) by Wootery on Friday March 02 2018, @12:35PM
Since when is https://certbot.eff.org/ [eff.org] an 'untrustworthy site'? (I mean, it's signed by Let's Encrypt, so technically it's self-signed.)
Don't know why you're rambling about AV.
(Score: 2) by TheRaven on Friday March 02 2018, @01:51PM
sudo mod me up
(Score: 2) by requerdanos on Friday March 02 2018, @02:40PM
I was actually downloading from "https://mirror.cogentco.com/debian/" using a tool called apt-get, which compares the signatures of each downloaded file to those on a hand-audited release list. Because of this, mirror.cogentco.com/debian is about as reliable as a website for downloading software will ever get. If you didn't do it that way, or a similar way, you are doing it wrong.
Based on your description, you were doing it very very wrong. I found your problem (it's pebkac).
TL;DR: Don't be like AC. Use apt-get, yum, rpm, pacman, or another similar tool to begin this simple, secure process (unless your administrative skills are up to the task of doing it on your own, unlike AC above).