Musings tagged as privacy

Here, Hold My Private Key

Wed, Feb 28, 2018

Paid certificate authority Trustico provides a premium installation service where they offer to take all the hassle, which comes with getting an SSL certificate running on your website, from you. Oh, this includes your private key but hey, service is service, right?

If you prefer, we can also generate your Certificate Signing Request, Private Key and Certificate and then provide it to you.

trustico thumb

Now, what could possibly go wrong if the guys who can sign your security certificate also have your private key and can modify your certificate at will? It is seriously amazing how the commercial CAs are cutting the branch they are sitting on. As if Let’s Encrypt, the completely free open source CA, chopping on the base of their tree wasn’t enough already. ^^

Update: In a contract struggle with DigiCert, Trustico asked DigiCert to revoke all certificates of Trustico’s customers, which are managed by DigiCert. DigiCert tells Trustico that only the customers can issue a revoke request for their certificates. They add, that they can only do a mass-revoke of all certificates if there is evidence of a security incident, compromising the customers private keys.

So Trustico sends an e-mail to DigiCert, containing more than 23,000 private keys. This apparently happened on the 27th of Feb. So now DigiCert has revoked all those 23k private keys effective 1st of Mar and sent e-mails to all those customers notifying them of the revocation.

Apparently Trustico did not only just generate the private keys for premium installation customers, they also saved them. As I said, what could possibly go wrong…

Oh, and Trustico has responded to DigiCert claiming

At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised

They did not offer any explanation as to where the 23,000 private keys came from, though. I smell proper legal action incoming and think I should stock up on my popcorn reserves!

Update Update: Trustico released a statement, admitting that they stored private keys for their customers SSL certificates. Additionally, among the compromised private keys are ones that were used by secure banking email servers or … Equifax!

There have already been calls for all other CAs to suspend or terminate their relationship with Trustico.

This gets better by the hour ^^