Account Share

 

Thread by @geofft: "Okay, this Trustico SSL certificate disaster looks _amazing._ As far as I can tell, the most likely story is: Trustico, a web host, wanted t […]"

15 tweets
Okay, this Trustico SSL certificate disaster looks _amazing._ As far as I can tell, the most likely story is:
Trustico, a web host, wanted to move their customers away from Symantec certs to Comodo, and wanted to force their customers to move by revoking their certs.
They asked Digicert (new owners of the Symantec root), who said, no, we won't revoke just because the web host asks, we only revoke on compromise.
I'm guessing Digicert also said, by way of clarification, that one thing that would cause them to revoke certs is the private key being disclosed.
At which point Trustico's CEO decided to EMAIL 23,000 CUSTOMER PRIVATE KEYS to Digicert, apparently in order to trigger that clause.
Turns out Trustico has an online private key generator, and probably logged all the customer private keys generated that way.
Digicert reached out to the Mozilla security policy list for help managing a massive revocation, and also emailed all Trustico customers as a
heads up.
Then Trustico responds angrily to the list objecting to this being called a "compromise", and calls Digicert's email "absolutely defamatory."
Oh, correction, Trustico isn't a web host, they're an SSL reseller.
OH IT GETS BETTER. Trustico confirms they store the keys they generate for customers so that they can revoke them: trustico.com/news/2018/syma…
This is, to be clear, not standard practice. The reason it works for revocation is that it's proof the key is _already_ compromised.
Part 3: Trustico's website is down, shortly after this extremely easy security hole (shell injection) in their order form made the rounds:
Anyone entering crafted input had full access to their live server. Speculation is that someone took pity on their customers, and injected a `shutdown -h now`.
So, here's the Internet Archive link to Trustico's statement last night about why they wanted the certificates revoked: web.archive.org/web/2018030101…
This content can be removed from Twitter at anytime, get a PDF archive by mail!
This is a Premium feature, you will be asked to pay 30$/year
for a one year Premium membership with unlimited archiving.
Don't miss anything from @geofft,
subscribe and get alerts when a new unroll is available!
This is a Premium feature, you will be asked to pay 30$/year
for a one year Premium membership with unlimited subscriptions/alert.
Did Thread Reader help you today?
Support me: I'm a solo developer! Read more about the story
Become a 💎 Premium member ($30/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy me a 🍺 beer ($5) or help for the 🛠 server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com
Using crypto? You can help too!
Trending hashtags:
Did Thread Reader help you today?
Support me: I'm a solo developer! Read more about the story
Become a 💎 Premium member ($30/year) and get exclusive features!
Too expensive?
Make a small donation instead. Buy me a 🍺 beer ($5) or help for the 🛠 server cost ($10):
Donate with 😘 Paypal or  Become a Patron 😍 on Patreon.com
Using crypto? You can help too!