Skip to content

How not to run a CA

Trustico is an SSL reseller, which just compromised 23.000 certificates they sold.

TL;DR: Forget your EV or other certs. Just run “Let’s Encrypt”. It gets you a cert, it’s fresh, and it does not make any difference whatsoever. At least not any you or anyone else can check for, or cares for.

Actual Trustico ad from their website (Screenshot 01-Mar-2018)

Here is how:

Chrome is going to distrust the Symantec root certificate soon, because they failed at running a Certificate Authority properly, repeatedly. Certificates by a reseller that are being rooted at Symantec will become invalid, no matter what their runtime in the Cert is.

Trustico wanted to move their customers from Symantec to Comodo, another company that failed at running a Certificate Authority properly, repeatedly, but which is not distrusted by Chrome, yet.

They asked Digicert, who bought the business of Symantec, to revoke (“cancel”) the certs they sold to their customers, just because they say so. That, said Digicert, is not possible, because the conditions for revoking a certificate have not been met, and if you are trying to revoke a certificate just because someone said so you are not running a Certificate Authority properly and they would like stopping to do that.

Apparently Digicert also gave examples of proper causes for certificate revokation, and the one prime cause for revoking a cert is when the private key for a cert (which is supposed to be a secret only known to the proper owner of a cert, which is neither Digicert nor Trustico) being made known to people who have no business knowing it.

So the CEO of Trustico, Zane Lucas, mailed the private keys of 23000 Trustico customers to Digicert, effectively invalidating them and at the same time proving that Trustico has knowledge of all their customers private keys, keeping copies of them, which proves that they never knew how to run a Certficate Authority business in the first place, and compromising all their 23000 customers security retroactively, and also ending their own presence in the security space forever.

So Digicert needed help to do a mass cert revocation, and also informed the customers of Trustico of the situation, directly. Which angered the CEO of Trustico, because it made their absolute and limitless incompetence public.

Trustico Statement

Digicert Statement

Mozilla Mailing List Thread

Earlier statement (Mid 2017) of Comodo and Trustico Partnership, which may need review under the current situation

Reddit Thread

IT Wire article

Cyberscoop article

 

Published inHackerterrorcybercyber

6 Comments

    • kris kris

      And in reaction to this, in Mozilla dev.security.policy:

      »As I understand it, Trustico is in the process of terminating their relationship with Digicert and switching to Comodo for issuance. I have a question for Digicert, Comodo, and other CAs:

      Do you do any vetting of resellers for best practices?

      While clearly most of the security burden rests with the CA, this example shows that resellers with poor security practices (archiving subscriber public keys, e-mailing them to trigger revocation, trivial command injection vulnerabilities, running a PHP frontend directly as root) can have a significant impact on the security of the WebPKI for a large number of certificate holders.

      Are there any concerns that the reputability of a CA might be impacted if they willingly choose to partner with resellers which have demonstrated such problems?«

      • Robert Thille

        ^public keys^private keys^

        • kris kris

          The quote “as-is”.

          You are correct. The original author most likely meant “private keys”.

  1. Mike

    Having followed this story from the initial Digicert’s email because I received it, and exchanged also with Trustico and RapidSSL (Digicert) support since my certificate was about to be revoked, I say that this is a very good summary.

    Especially the conclusion “also ending their own presence in the security space forever”.
    Which I phrased slightly differently in my reply to Digicert “They are dead”.

    BTW, you know what ? Trustico offered me a coupon for a free replacement of my certificate, with their own (“Trustico® Single Site”). Hmmm not sure of what I will do… (just kiding).

    • So, did you used the web form and downloaded a private key from them back in the day?

Leave a Reply

Your email address will not be published. Required fields are marked *