Revocation of 50 thousand DigiCert certificates
In early February, Trustico, a reseller of DigiCert SSL certificates, requested (without explanation) to revoke all certificates issued through Trustico.
The investigation revealed a monstrous disregard for the safety rules:
- The reseller (in violation of the rules) made copies of the private keys of the certificates. Thus, in essence, having compromised the certificates independently;
- users knew nothing about this;
- the web service for issuing certificates used scripts owned by third-party companies, including advertising services;
- The official site Trustico contained a vulnerability that allowed the execution of arbitrary code on the server with root rights (the researcher who discovered the problem claims to have found the necessary information in open sources);
- other researchers who took advantage of this vulnerability could not get access to the Trustico clients' private keys archive, but found a private key on the compromised server from the domain certificate * .trustico.com;
- instead of recognizing problems, Trustico tried to deny even the very possession of private keys. Which is completely pointless, because before that they sent these client private keys to DigiCert as proof of the need to reissue certificates. There is a desire to hush up and hide the incident by any means in the hope that this time it will “carry it over”. Not carried by.
This incident is likely to have a significant impact on the industry. Obviously, a revision of the principles of interaction between certification centers and resellers is necessary. In addition, it is worth thinking about tightening the requirements for resellers. "Security Seller", which has an input field on the site, allowing you to enter arbitrary shell commands that are executed on the server with superuser rights is nonsense.
The investigation revealed a monstrous disregard for the safety rules:
- The reseller (in violation of the rules) made copies of the private keys of the certificates. Thus, in essence, having compromised the certificates independently;
- users knew nothing about this;
- the web service for issuing certificates used scripts owned by third-party companies, including advertising services;
- The official site Trustico contained a vulnerability that allowed the execution of arbitrary code on the server with root rights (the researcher who discovered the problem claims to have found the necessary information in open sources);
- other researchers who took advantage of this vulnerability could not get access to the Trustico clients' private keys archive, but found a private key on the compromised server from the domain certificate * .trustico.com;
- instead of recognizing problems, Trustico tried to deny even the very possession of private keys. Which is completely pointless, because before that they sent these client private keys to DigiCert as proof of the need to reissue certificates. There is a desire to hush up and hide the incident by any means in the hope that this time it will “carry it over”. Not carried by.
This incident is likely to have a significant impact on the industry. Obviously, a revision of the principles of interaction between certification centers and resellers is necessary. In addition, it is worth thinking about tightening the requirements for resellers. "Security Seller", which has an input field on the site, allowing you to enter arbitrary shell commands that are executed on the server with superuser rights is nonsense.
')
Source: https://habr.com/ru/post/374301/
All Articles