23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Minimalist · Mar 1, 2018

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours.

This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are supposed to be secret, and only held by the cert owners, and certainly not to be disclosed in messages. In the wrong hands, they can be used by malicious websites to masquerade as legit operations.

Unless the affected certificates are replaced in time, visitors to websites using Trustico-sold HTTPS certs will be turned away by their browsers, due to the digital certificates being revoked.

The whole situation is a mess, and possibly the result of a turf war. Here's what we've managed to ascertain.
Click to expand...

https://www.theregister.co.uk/2018/03/01/trustico_digicert_symantec_spat/

itman · Mar 1, 2018

Trustico States They Stored Private Keys for Customers' SSL Certificates
https://www.bleepingcomputer.com/ne...-private-keys-for-customers-ssl-certificates/

Minimalist · Mar 1, 2018

"The storage of private keys appears to be done without the user's knowledge or consent," he added. "Given everything that's known, then regardless of who emailed whose customers when and why, I think it's clear that Trustico compromised those keys [...], and has been routinely compromising customer keys for years."

"Given that there's no evidence that Trustico [...] indicated any intent to change their business practices, then I believe it's appropriate for all CAs to immediately suspend or terminate their relationship with Trustico," Mill added.
Click to expand...

Trustico? I don't think so. I think that we will soon read about how they closed their business.

142395 · Mar 1, 2018

Oh...I had quite narrowed down my trust circle on all devices (maybe 1/4 or so certs distrusted), but couldn't distrust all Digicert/Symantec cert as it'll break too many sites.
I dream of a world where we no more need CAs - DNS Chain seems to be promising, but that world won't come because - these CA will lose its revenue!
So Google go to CT which is not at all effective against state sponsored actor. (sigh)

EASTER · Mar 1, 2018

The term blunder is an understatement.

Proverbial countdown to shutdown is on. That's pretty short notice.

And can't even imagine the headache yet to come for many of those clients in spite of the rush to stave off. Ouch

Minimalist · Mar 26, 2018

Trustico Boss Claims 'Significant Suffering' After Certificates Revoked

Trustico director Zane Lucas has issued a lengthy statement regarding the recent issue where 23,000 certificates were revoked.

Lucas claimed that Trustico “is suffering significantly as a result of the misrepresentation of the position” and is considering its position legally with respect to these issues and others in an effort to set the record straight “as it considers itself to have been unfairly and wrongly maligned.”
Click to expand...

https://www.infosecurity-magazine.com/news/trustico-suffering-certificates/

Log in or Sign up

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

142395 Guest

EASTER Registered Member

Minimalist Registered Member

Log in or Sign up

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

142395 Guest

EASTER Registered Member

Minimalist Registered Member

Useful Searches