Okay, this Trustico SSL certificate disaster looks _amazing._ As far as I can tell, the most likely story is:
Trustico, a web host, wanted to move their customers away from Symantec certs to Comodo, and wanted to force their customers to move by revoking their certs.
They asked Digicert (new owners of the Symantec root), who said, no, we won't revoke just because the web host asks, we only revoke on compromise.
I'm guessing Digicert also said, by way of clarification, that one thing that would cause them to revoke certs is the private key being disclosed.
At which point Trustico's CEO decided to EMAIL 23,000 CUSTOMER PRIVATE KEYS to Digicert, apparently in order to trigger that clause.
Turns out Trustico has an online private key generator, and probably logged all the customer private keys generated that way.
Digicert reached out to the Mozilla security policy list for help managing a massive revocation, and also emailed all Trustico customers as a
heads up.
heads up.
Then Trustico responds angrily to the list objecting to this being called a "compromise", and calls Digicert's email "absolutely defamatory."
Oh, correction, Trustico isn't a web host, they're an SSL reseller.
OH IT GETS BETTER. Trustico confirms they store the keys they generate for customers so that they can revoke them: trustico.com/news/2018/syma…
This is, to be clear, not standard practice. The reason it works for revocation is that it's proof the key is _already_ compromised.
Part 3: Trustico's website is down, shortly after this extremely easy security hole (shell injection) in their order form made the rounds:
Anyone entering crafted input had full access to their live server. Speculation is that someone took pity on their customers, and injected a `shutdown -h now`.
So, here's the Internet Archive link to Trustico's statement last night about why they wanted the certificates revoked: web.archive.org/web/2018030101…
