DigiCert withdraws 23 thousand SSL certificates: what is the reason

On March 1, Trustico SSL Certificate Reseller customers learned that 23,000 certificates will be revoked within 24 hours. The recall was initiated by the DigiCert certification authority - this was done because Trustico had private clients SSL keys at its disposal.

We will tell more about what happened next.


/ Pexels / Skitterphoto / CC

Characters


Trustico sells Symantec, GeoTrust, Thawte, and RapidSSL certifications. Previously, all these certificates were managed by Symantec, but from December 1, 2017, CA DigiCert is responsible for working with them. Last year, Google launched a process to end trust in certificates issued using the old Symantec infrastructure, due to the fact that the company could not provide proper control over compliance with service standards.

As a result, Symantec decided to sell the certification business to DigiCert in order to “restore trust” and comply with Google’s requirements, as we discussed earlier.

The situation with Trustico


On February 28, Trustico demanded that DigiCert revoke Symantec certificates because of their compromise. When asked to provide details at DigiCert, Trustico representatives simply emailed them 23 thousand private keys of client certificates.

As a result, DigiCert had no choice - the center started the process of certificate revocation by sending a notification to each certificate holder whose secret keys appeared in the Trustico letter. At the same time, DigiCert notes that the certificate revocation procedure has nothing to do with the termination of trust of Google and Mozilla, which should begin on March 15.

Where did the SSL keys come from


The beginning of the story was laid in the first half of February. Then Trustico asked DigiCert to immediately withdraw 50 thousand certificates, allegedly they were compromised. The certification authority did not do this - the reseller did not have any supporting arguments.

A little later , information appeared on the Trustico website about the refusal of SSL certificates Symantec, GeoTrust, Thawte and RapidSSL. Then the head of Trustico, Zane Lucas, and sent DigiCert Vice President Jeremy Rowley a copy of the private keys by email as evidence of compromise. According to Rowley, at first Trustico did not disclose where these secret keys came from. However later zane made a statement from which it became clear that the keys are held by Trustico in a "cold storage".

Trustico automated the issuance of certificates using CSR ( Certificate Signing Request ) - thanks to this, the reseller could save and keep copies of private keys. At the same time, Trustico users did not know that their keys were available to someone else, including the CEO of the company.


/ The Flickr / Jeremy Segrott / CC

Community Response and Implications


This behavior of Trustico gave rise to the opinion that the company had specially compromised the keys in order to start the procedure for revoking Symantec SSL / TLS certificates and start working on other products. This is also confirmed by the fact that before the incident Trustico started selling certificates of the competitor DigiCert - Comodo.

The community was also worried about the fact that the keys were sent by email. Since it is not known whether the channel on which the messages were transmitted was protected. Therefore, it is not surprising that information security specialists paid attention to the reseller infrastructure.

And problems in the service were found. One of the users of Twitter published information about the critical vulnerability Trustico. True, this led to the fact that the reseller site for some time was disabled.


The company’s website had a tool that allowed website owners to verify the correct installation of certificates. And he contained a mistake. Thanks to her, it was possible to embed her commands into the verification form and execute malicious code with root rights on Trustico servers. Moreover, according to the researcher himself, the problem was known for a long time, since he found all the information in open sources on the Internet.

Trustico is now facing legal issues. Twitter users note that Trustico serves a number of large customers, including one of the major credit bureaus in the USA, Equifax . And reputational problems due to all the questions to this situation and the ambiguous actions of the leadership may cost the reseller of large orders.

1cloud Blog Related Content: