DigiCert revokes 23 thousand SSL certificates: what is the reason
On March 1, Trustico SSL reseller clients learned that 23,000 certificates would be revoked within 24 hours. The review was initiated by the DigiCert Certificate Authority - this was done because Trustico had secured the client's SSL keys.
In more detail about what happened, we will tell further.
/ Pexels / Skitterphoto / CC
')
Trustico sells Symantec, GeoTrust, Thawte and RapidSSL certificates. Previously, all of these certificates were managed by Symantec, but from December 1, 2017, CA DigiCert is responsible for working with them. Last year, Google launched a procedure for terminating confidence in certificates issued using the old Symantec infrastructure, due to the fact that the company failed to ensure proper control over compliance with service standards.
As a result, Symantec decided to sell the DigiCert certification business in order to “restore confidence” and comply with Google’s requirements, which we described earlier.
On February 28, Trustico demanded that DigiCert revoke Symantec certificates due to compromise. When they asked for details at DigiCert, representatives of Trustico simply e-mailed them 23 thousand private keys of client certificates.
As a result, DigiCert had no choice - the center launched the certificate revocation process, sending a notification to each certificate holder whose secret keys were in the Trustico letter. At the same time, DigiCert notes that the certificate revocation procedure is in no way connected with the termination of Google and Mozilla trust, which is due to begin on March 15.
The beginning of the story was laid in the first half of February. Then Trustico asked DigiCert to immediately withdraw 50 thousand certificates. They were allegedly compromised. The certification authority did not do this - the reseller had no supporting arguments.
A little later on the Trustico site appeared information about the rejection of SSL certificates Symantec, GeoTrust, Thawte and RapidSSL. Then the head of Trustico, Zane Lucas, sent Jeremy Rowley, vice-president of DigiCert, a copy of the secret keys via email as confirmation of the compromise. According to Rowley, Trustico didn’t reveal at first where these secret keys came from. Later, however, Zayn made a statement , from which it became clear that the keys are held by Trustico in a “cold storage”.
Trustico automated the issuance of certificates using CSR ( Certificate Signing Request ) - thanks to this, the reseller could save and keep copies of private keys. At the same time, Trustico users did not know that their keys were available to someone else, including the CEO of the company.
/ Flickr / Jeremy Segrott / CC
This behavior of Trustico gave rise to the opinion that the company had specially compromised the keys in order to start the procedure for revoking Symantec SSL / TLS certificates and start engaging in other products. This is confirmed by the fact that before the incident, Trustico began selling certificates to rival DigiCert - Comodo.
Also the concern of the community was caused by the fact that the keys were sent by email. Since it is not known whether the channel through which messages were transmitted was protected. Therefore, it is not surprising that information security specialists paid attention to the reseller's infrastructure.
And problems in the service were found. One Twitter user has posted information about the Trustico critical vulnerability. True, this led to the fact that the site reseller for some time was disabled.
The company’s website had a tool that allowed site owners to verify that the certificates were installed correctly. And it contained an error. Thanks to it, it was possible to deploy your commands in the verification form and execute malicious root root code on Trustico servers. At the same time, according to the researcher himself, the problem was known for a long time, since he found all the information in open sources on the Internet.
Now Trustico faces legal problems. Twitter users note that Trustico serves a number of large customers, including Equifax, one of the major US credit bureaus. And reputational problems due to all the questions to this situation and ambiguous actions of the management can cost the reseller large orders.
In more detail about what happened, we will tell further.
/ Pexels / Skitterphoto / CC
')
Characters
Trustico sells Symantec, GeoTrust, Thawte and RapidSSL certificates. Previously, all of these certificates were managed by Symantec, but from December 1, 2017, CA DigiCert is responsible for working with them. Last year, Google launched a procedure for terminating confidence in certificates issued using the old Symantec infrastructure, due to the fact that the company failed to ensure proper control over compliance with service standards.
As a result, Symantec decided to sell the DigiCert certification business in order to “restore confidence” and comply with Google’s requirements, which we described earlier.
Situation with trustico
On February 28, Trustico demanded that DigiCert revoke Symantec certificates due to compromise. When they asked for details at DigiCert, representatives of Trustico simply e-mailed them 23 thousand private keys of client certificates.
As a result, DigiCert had no choice - the center launched the certificate revocation process, sending a notification to each certificate holder whose secret keys were in the Trustico letter. At the same time, DigiCert notes that the certificate revocation procedure is in no way connected with the termination of Google and Mozilla trust, which is due to begin on March 15.
Where do the SSL keys come from
The beginning of the story was laid in the first half of February. Then Trustico asked DigiCert to immediately withdraw 50 thousand certificates. They were allegedly compromised. The certification authority did not do this - the reseller had no supporting arguments.
A little later on the Trustico site appeared information about the rejection of SSL certificates Symantec, GeoTrust, Thawte and RapidSSL. Then the head of Trustico, Zane Lucas, sent Jeremy Rowley, vice-president of DigiCert, a copy of the secret keys via email as confirmation of the compromise. According to Rowley, Trustico didn’t reveal at first where these secret keys came from. Later, however, Zayn made a statement , from which it became clear that the keys are held by Trustico in a “cold storage”.
Trustico automated the issuance of certificates using CSR ( Certificate Signing Request ) - thanks to this, the reseller could save and keep copies of private keys. At the same time, Trustico users did not know that their keys were available to someone else, including the CEO of the company.
/ Flickr / Jeremy Segrott / CC
Community response and implications
This behavior of Trustico gave rise to the opinion that the company had specially compromised the keys in order to start the procedure for revoking Symantec SSL / TLS certificates and start engaging in other products. This is confirmed by the fact that before the incident, Trustico began selling certificates to rival DigiCert - Comodo.
Also the concern of the community was caused by the fact that the keys were sent by email. Since it is not known whether the channel through which messages were transmitted was protected. Therefore, it is not surprising that information security specialists paid attention to the reseller's infrastructure.
And problems in the service were found. One Twitter user has posted information about the Trustico critical vulnerability. True, this led to the fact that the site reseller for some time was disabled.
The company’s website had a tool that allowed site owners to verify that the certificates were installed correctly. And it contained an error. Thanks to it, it was possible to deploy your commands in the verification form and execute malicious root root code on Trustico servers. At the same time, according to the researcher himself, the problem was known for a long time, since he found all the information in open sources on the Internet.
Now Trustico faces legal problems. Twitter users note that Trustico serves a number of large customers, including Equifax, one of the major US credit bureaus. And reputational problems due to all the questions to this situation and ambiguous actions of the management can cost the reseller large orders.
Materials on the topic of the blog 1cloud:
Source: https://habr.com/ru/post/350768/
All Articles