Earlier this week, I wrote an article on underground hackers selling valid cryptographic certificates, which they obtained through stolen private keys and social engineering. More private keys were compromised yesterday when a dispute between Trustico and DigiCert got ugly. Trustico wanted to have the certificates revoked by DigiCert likely because Trustico is trying to push its customers to move to a new certificate authority they partnered with, Comodo. The whole situation is a bit confusing; here is what has happened so far.
– September 11, 2017 Google announces that it will stop trusting certificates issued by Symantec because Symantec violated Certificate Authority rules on certificate issuance.
– October 31, 2017 DigiCert buys Symantec Website Security, Symantec’s Certificate Authority services.
– February 2, 2018 Trustico sends a certificate revocation request to DigiCert for 50,000 certificates that it signed through Symantec. DigiCert refuses, citing industry rules that require revocation only in the event that a certificate’s private key has been compromised.
– February 28, 2018 Trustico’s CEO sends an email with 23,000 private keys for certificates generated through Trustico’s website to DigiCert, forcing DigiCert to revoke the associated certificates within 24 hours per industry rules.
– The same day DigiCert sends an email to affected Trustico customers notifying them about their imminent certificate revocation triggered by Trustico.
– The same day Trustico released a statement explaining why they made the revocation request and explained that the certificates were not actually compromised beyond the issue with the Symantec Certificate Authority.
“At no time did we believe that we had compromised any private keys, though at the request of DigiCert we provided the Private Keys to them in order to facilitate a revocation request.”
– March 1, 2018, Twitter user svblxyz found a command injection attack on the Trustico website. Trustico subsequently took their website offline.
Unfortunately, the companies who own the 23,000 private keys were caught in the middle of this kerfuffle. The 23,000 signed certificates made with the private keys are officially revoked and unusable as of today. DigiCert, following industry rules, has refused to revoke the remaining 27,000 Trustico certificates issued by Symantec.
As the internet as a whole continues moving towards HTTPS encryption on every website, we continue to see issues with inadequate implementation. This leads to a false sense of security. In the end, there is no substitution for carefully reviewing any website you visit before entering sensitive information. –Trevor Collins