Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

23,000 HTTPS Certs to be Axed in Next 24 Hours after Private Keys Leak

posted by martyb on Friday March 02 2018, @12:04AM   Printer-friendly
from the Danger-Will-Robinson!-Danger! dept.

[Ed note: After this story was submitted, it became known that there was a remote code execution (RCE) vulnerability on the Trustico web site which allowed malicious users to run arbitrary code as root on the server. Story at Ars Technica: Trustico website goes dark after someone drops critical flaw on Twitter. Link to the tweet. As of the time of this writing, the Trustico web site is unavailable. --martyb]

mrpg writes:

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours.

This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.

Unless the affected certificates are replaced in time, visitors to websites using Trustico-sold HTTPS certs will be turned away by their browsers, due to the digital certificates being revoked.

The whole situation is a mess, and possibly the result of a turf war. Here's what we've managed to ascertain.

What is Trustico?

Trustico, based in Croydon, UK, touted SSL/TLS certificates, which are used by websites to encrypt and secure their connections. It resold certs from the Symantec brand umbrella: Symantec, GeoTrust, Thawte, and RapidSSL. This umbrella is now owned and operated by DigiCert.

If you wanted to buy, say, a RapidSSL-issued certificate, you could do so via Trustico. The HTTPS cert ultimately leads back, along a chain of trust, to DigiCert, a root certificate authority trusted by web browsers and other software. In turn, a website presenting the Trustico-sold cert is trusted, its traffic secured using encryption, and the reassuring green padlock is displayed in visitors' browsers.

Why are the certificates being revoked?

According to DigiCert's chief product officer Jeremy Rowley earlier today, Trustico told DigiCert in early February that its resold certificates had been in some way "compromised," and that the certs needed to be mass revoked as a result.

DigiCert staff, we're told, asked Trustico for more information on this security mishap. The reseller replied it had a copy of the private keys, which is usually grounds for revocation, and thus insisted that DigiCert revoke the certificates.

When pressed for evidence, Trustico on Wednesday simply emailed DigiCert 23,000 certificates' private keys as proof it held this information, it is claimed. This forced DigiCert's hand: under the rulebook of standards set by the elders of the certificate security and browser worlds, the Trustico-sold certificates had to be revoked as a precaution within 24 hours. Specifically, the ones with their private keys in the email will be canceled.

Original Submission

 
This discussion has been archived. No new comments can be posted.
23,000 HTTPS Certs to be Axed in Next 24 Hours after Private Keys Leak | Log In/Create an Account | Top | 54 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by deimios on Friday March 02 2018, @04:02AM (5 children)

    by deimios (201) Subscriber Badge on Friday March 02 2018, @04:02AM (#646203) Journal

    I am getting NET::ERR_CERT_REVOKED on this page with Chrome.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Friday March 02 2018, @04:38AM (4 children)

    by Anonymous Coward on Friday March 02 2018, @04:38AM (#646209)

    Interesting, I've tried it on the latest Chrome on both my machines and that link works just fine, as does https://revoked-isrgrootx1.letsencrypt.org/ [letsencrypt.org] and most of the revoked pages on https://www.digicert.com/digicert-root-certificates.htm [digicert.com] but https://revoked.badssl.com/ [badssl.com] does raise a revoked error. This is on both Chrome OS and Mac. Maybe it is some combination of non-default settings, different CRLsets, or platform. FWIW, all of them error when browsing with Firefox.

    • (Score: 4, Interesting) by FatPhil on Friday March 02 2018, @09:10AM (3 children)

      by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Friday March 02 2018, @09:10AM (#646293) Homepage
      The annoying thing with web security errors is that you're forbidden from seeing the content, even if you think the security system is a farce. Sometimes you can add exceptions, but not always. And to be honest, after all the various Comodo, Symantec, etc., fuckups over the years, everyone should consider HTTPS a farce.

      Paging Honest Akhmed...
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

      • (Score: 1, Interesting) by Anonymous Coward on Friday March 02 2018, @03:14PM (2 children)

        by Anonymous Coward on Friday March 02 2018, @03:14PM (#646405)

        HTTPS is fine, but the certificate layer it rests on is problematic.

        I prefer the Perspectives approach. https://addons.mozilla.org/en-US/firefox/addon/perspectives/ [mozilla.org]

        They have "Notaries" instead of CAs, the difference is, that each notary will try to get the cert for all websites. If they all agree on the cert, either the site is completely owned, or you are fine, as essentially, to get all the notaries to tell you false information, they would have to give that same false information to everyone.

        You do run into trouble with sites like google, however, that like to issue different certs all the time.

        • (Score: 1, Interesting) by Anonymous Coward on Friday March 02 2018, @05:48PM (1 child)

          by Anonymous Coward on Friday March 02 2018, @05:48PM (#646497)

          Interesting, the plugin page you linked to links to http://www.perspectives-project.org [perspectives-project.org] which seems it would be the official project page but it just forwards to a wordpress site that doesn't exist...

          caveat emptor

          • (Score: 0) by Anonymous Coward on Friday March 02 2018, @07:40PM

            by Anonymous Coward on Friday March 02 2018, @07:40PM (#646575)

            The Perspectives Project is on relative life support, as the people who originally did it at University graduated. The same goes for the somewhat related Convergence. However, if you want a similar idea, you can use the EFF's HTTPS Everywhere and enable the setting that double-checks the certificate you receive with the SSL Observatory.