March 2, 2018 at 13:37Revocation of 50 thousand DigiCert certificates
In early February, Trustico, a reseller of DigiCert SSL certificates, requested (without explanation) the revocation of all certificates issued through Trustico.
The investigation revealed a monstrous disregard for security rules:
- the reseller (in violation of the rules) made copies of private certificate keys. Thus, in essence, having compromised the certificates yourself;
- users did not know anything about this;
- the web service used scripts belonging to third-party companies to issue certificates, including advertising services;
- Trustico official site contained vulnerabilitythat allows arbitrary code to be executed on the server with root privileges (the researcher who discovered the problem claims to have found the necessary information in open sources);
- other researchers who took advantage of this vulnerability could not gain access to the archive of the private keys of Trustico clients, but found on the compromised server the private key from the * .trustico.com domain certificate;
- Instead of recognizing the problems, Trustico tried to deny even the possession of private keys. Which is completely pointless, because before that they sent these private client keys to DigiCert as evidence of the need to reissue certificates. There is a desire by any means to hush up and hide the incident in the hope that this time it will "carry over". Not carried.
This incident is likely to have a significant impact on the industry. Obviously, a review of the principles for the interaction of certification authorities with resellers is necessary. In addition, it is worth thinking about toughening the requirements for resellers. “Security seller”, which has an input field on the site that allows you to enter arbitrary shell commands executed on the server with superuser privileges, is nonsense.
The investigation revealed a monstrous disregard for security rules:
- the reseller (in violation of the rules) made copies of private certificate keys. Thus, in essence, having compromised the certificates yourself;
- users did not know anything about this;
- the web service used scripts belonging to third-party companies to issue certificates, including advertising services;
- Trustico official site contained vulnerabilitythat allows arbitrary code to be executed on the server with root privileges (the researcher who discovered the problem claims to have found the necessary information in open sources);
- other researchers who took advantage of this vulnerability could not gain access to the archive of the private keys of Trustico clients, but found on the compromised server the private key from the * .trustico.com domain certificate;
- Instead of recognizing the problems, Trustico tried to deny even the possession of private keys. Which is completely pointless, because before that they sent these private client keys to DigiCert as evidence of the need to reissue certificates. There is a desire by any means to hush up and hide the incident in the hope that this time it will "carry over". Not carried.
This incident is likely to have a significant impact on the industry. Obviously, a review of the principles for the interaction of certification authorities with resellers is necessary. In addition, it is worth thinking about toughening the requirements for resellers. “Security seller”, which has an input field on the site that allows you to enter arbitrary shell commands executed on the server with superuser privileges, is nonsense.