Profile picture
Geoffrey Thomas @geofft
, 15 tweets, 3 min read Read on Twitter
Okay, this Trustico SSL certificate disaster looks _amazing._ As far as I can tell, the most likely story is:
Trustico, a web host, wanted to move their customers away from Symantec certs to Comodo, and wanted to force their customers to move by revoking their certs.
They asked Digicert (new owners of the Symantec root), who said, no, we won't revoke just because the web host asks, we only revoke on compromise.
I'm guessing Digicert also said, by way of clarification, that one thing that would cause them to revoke certs is the private key being disclosed.
At which point Trustico's CEO decided to EMAIL 23,000 CUSTOMER PRIVATE KEYS to Digicert, apparently in order to trigger that clause.
Turns out Trustico has an online private key generator, and probably logged all the customer private keys generated that way.
Digicert reached out to the Mozilla security policy list for help managing a massive revocation, and also emailed all Trustico customers as a
heads up.
Then Trustico responds angrily to the list objecting to this being called a "compromise", and calls Digicert's email "absolutely defamatory."
Oh, correction, Trustico isn't a web host, they're an SSL reseller.
OH IT GETS BETTER. Trustico confirms they store the keys they generate for customers so that they can revoke them: trustico.com/news/2018/syma…
This is, to be clear, not standard practice. The reason it works for revocation is that it's proof the key is _already_ compromised.
Part 3: Trustico's website is down, shortly after this extremely easy security hole (shell injection) in their order form made the rounds:
Anyone entering crafted input had full access to their live server. Speculation is that someone took pity on their customers, and injected a `shutdown -h now`.
So, here's the Internet Archive link to Trustico's statement last night about why they wanted the certificates revoked: web.archive.org/web/2018030101…
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Geoffrey Thomas
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!