SoylentNews is people
SoylentNews
[Ed note: After this story was submitted, it became known that there was a remote code execution (RCE) vulnerability on the Trustico web site which allowed malicious users to run arbitrary code as root on the server. Story at Ars Technica: Trustico website goes dark after someone drops critical flaw on Twitter. Link to the tweet. As of the time of this writing, the Trustico web site is unavailable. --martyb]
23,000 HTTPS certs will be axed in next 24 hours after private keys leak
Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours.
This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.
Unless the affected certificates are replaced in time, visitors to websites using Trustico-sold HTTPS certs will be turned away by their browsers, due to the digital certificates being revoked.
The whole situation is a mess, and possibly the result of a turf war. Here's what we've managed to ascertain.
What is Trustico?
Trustico, based in Croydon, UK, touted SSL/TLS certificates, which are used by websites to encrypt and secure their connections. It resold certs from the Symantec brand umbrella: Symantec, GeoTrust, Thawte, and RapidSSL. This umbrella is now owned and operated by DigiCert.
If you wanted to buy, say, a RapidSSL-issued certificate, you could do so via Trustico. The HTTPS cert ultimately leads back, along a chain of trust, to DigiCert, a root certificate authority trusted by web browsers and other software. In turn, a website presenting the Trustico-sold cert is trusted, its traffic secured using encryption, and the reassuring green padlock is displayed in visitors' browsers.
Why are the certificates being revoked?
According to DigiCert's chief product officer Jeremy Rowley earlier today, Trustico told DigiCert in early February that its resold certificates had been in some way "compromised," and that the certs needed to be mass revoked as a result.
DigiCert staff, we're told, asked Trustico for more information on this security mishap. The reseller replied it had a copy of the private keys, which is usually grounds for revocation, and thus insisted that DigiCert revoke the certificates.
When pressed for evidence, Trustico on Wednesday simply emailed DigiCert 23,000 certificates' private keys as proof it held this information, it is claimed. This forced DigiCert's hand: under the rulebook of standards set by the elders of the certificate security and browser worlds, the Trustico-sold certificates had to be revoked as a precaution within 24 hours. Specifically, the ones with their private keys in the email will be canceled.
(Score: 0) by Anonymous Coward on Friday March 02 2018, @11:01PM
Speaking of drinking the kool-aid...
"Many web sites simply don't need to be HTTPS. Forcing them into it is despicable."
As others have already pointed out it makes MITM attacks much harder. What is the price of using Lets Encrypt? Nothing. Why is it a good thing? Cause more encrypted traffic makes the mass surveillance of the web much harder!
I simply do not see a downside. If your site doesn't really need https then there is no security issue using it. If your logins and forms are unprotected then your users are sending some amount of personal info in plain text. I just can't figure out how using SSL is a bad thing.