The website for Trustico went offline on Wednesday morning, about 24 hours after it was revealed that the CEO of the UK-based HTTPS certificate reseller emailed 23,000 private keys to a partner.
Shutting down our website soon after a website security expert shows a significant weakness on Twitter that appears to make it possible for outsiders to run malicious code on Trustico servers. The weakness, in the trustico.com website feature that allows customers to verify properly installed certificates on their sites, appears to act as a root. By inserting commands into the authentication form, attackers can invoke desired code and have it run on Trustico servers with unfettered “root” privileges, the tweet indicated.
“If this is the case, it’s as bad as it gets,” security researcher Scott Helme told Ars.
Trustico representatives did not immediately respond to an email seeking comment for this post.
The website security expert who posted the vulnerability said in a follow-up tweet that the critical flaw has been published earlier. He did not say where or when, and did not respond to messages asking for those details. His Twitter profile identifies him as the regional chapter leader for the Open Web Application Security Program in Serbia.
Critics wasted no time on Wednesday hammering Trustico following word it had been storing authentication private keys, a practice that defies corporate governance. Basic requirements set by the Certificate Authority Browser Forum. Much anger is increased by the fact that the keys are available to the company’s CEO, instead of being stored on separate devices, and the CEO sends them to e-mail. DigiCert identified the Administrator as Zane Lucas. The Trustico website lists Lucas’ title as director.
Eric Mill, an expert in public key infrastructure, said he was torn about whether posting vulnerability to Twitter was justified.
“Just because you’re rallying around a company that’s doing something irresponsible doesn’t make it okay to publicly expose it,” he told Ars. At the same time, he noted, some Trustico employees have publicly stated that their increased criticism is insulting and have used other language to indicate that they may take legal action against critics. Those types of behavior often have a negative impact on more objective ways of expressing vulnerability. Later, Mill said, “there are arguments on both sides.”
Post an update to add details about the CEO in the third-to-last paragraph.