A big dust-up on an Internet discussion forum involves troubling questions about the security of some HTTPS certificates that browsers rely on when it shows the administrator of a certificate reseller emailing a partner sensitive private keys for documents 23,000 TLS proof.
The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by certificate authorities trusted by the Comodo browser and, until recently, Symantec. It was sent to Jeremy Rowley, executive vice president at DigiCert, the certification authority that took over Symantec’s certificate-issuing business after Symantec took corporate action, forcing Google to rely on Symantec certificates in its Chrome browser. In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec certificates that Trustico had resold should be largely revoked due to security concerns.
Shockingly cavalier
When Rowley asked for proof of compromised credentials, Trustico’s CEO emailed the private keys of 23,000 credentials, according to An account posted to a Mozilla security policy forum. The report produced a collective gasp among many security professionals who said it showed a surprisingly cavalier treatment of digital certificates that are one of the most fundamental principles of web security.
In general, private keys for TLS certificates should not be stored by resellers, and, even in the rare cases where such storage is permissible, they should be tightly secured. An administrator was able to attach keys for 23,000 credentials to a single email raising concerns that such best practices were not being followed. (There was no indication the email was encrypted, either, though neither Trustico nor DigiCert provided that information when responding to inquiries.) Other critics argue Trustico emailed the keys in an attempt to forces customers with Symantec certificates to migrate to Comodo certificates. Although DigiCert accepts Symantec’s certificate-issuing business, it does not consider Trustico a reseller.
In a sentenceTrustico officials said the keys were recovered from “cold storage,” a term that refers to offline storage systems.
“Trustico allows customers to generate a Certificate Signing Request and Private Key during the checkout process,” the statement read. “These Private Keys are stored in cold storage, for the purpose of revocation.”
The interview also raised new questions about Symantec’s adherence to corporate governance rules while the trust-certificate mandate allows Trustico to resell its certificates. Under the Basic requirements for the Certificate Authority Browser Protocol, resellers are not allowed to store the certificate of authentication of private keys. The email featured a visual of Trustico doing just that when it offered to accept certificate signing requests on its website. As the owner of the root certificate used to sign the TLS certificates Trustico is reselling, Symantec is ultimately responsible for ensuring that this requirement is followed, although in fairness, there is probably no way for Symantec to detect a breach. affect. Trustico officials further called Symantec’s security into question on Thursday when they raised serious concerns over Symantec’s handling of an account Trustico used to sell the certificates.
“In our various discussions over the past week we have conveyed to you that we believe that Symantec has operated our account in a manner that has been compromised,” Trustico officials wrote. They continued: “We believe that orders placed through our Symantec account are at risk and we do not control them. the issue that arose.”
Symantec officials did not respond to an email seeking comment for this post.
Wednesday’s move comes after Google and Mozilla have spent years trying to improve the security of the certificates their browsers rely on. DigiCert’s commitment and adherence to the Basic Requirements demonstrates that many certificate authorities and resellers are acting in good faith. Unfortunately, the way the Internet’s TLS certificate issuance process works, a A single point of failure is all it takes to create compromises that threaten the entire system. Readers can expect Google and Mozilla to spend considerable time and resources in the coming weeks to uncover the breakthrough that came to light on Thursday.
Update: Several hours after this post went live, Trustico’s website went offline after a website security expert posted a critical vulnerability on Twitter. The flaw, in the trustico.com website feature that allows customers to verify credentials are properly installed on their sites, appears to allow attackers to run malicious code on Trustico servers with privileges The “root” is unimpeded.