CERTainly a cock up

Written by:
Hyve
Date Posted:
2 March 2018
Category:
Security

There’s been a bit of a hoo ha about SSL certs this week. What happened is a bit complicated, so I’ll try and break it down.

tl;dr The CEO of a SSL reseller emailed 23,000 private keys and all those certs were revoked. D’oh.

OK, hunker down. Here we go.

Resellers
Picture the scene. Croydon. February. Cert flogger Trustico sold SSL/TLS certificate to website owners to encrypt their sites. Jolly good so far. They resold Symantec, GeoTrust, Thawte and RapidSSL. (These are all owned by DigiCert).

So if you want a RapidSSL certificate, Trustico would happily sell you one.

CERTainly Not!

Jeremy Rowley, the Chief Product Officer for DigiCert said that Trustico had fessed up in February that it had been compromised.

Private keys?
The techies at DigiCert asked him for more info about this blunder and the CEO thought it’d be cool just to email over a file with the private keys to 23,000 certificates. Oh no he didn’t! Oh yes he did.

DigiCert then invoked some rule or other about something to do with website security which meant all 23,000 certs had to be revoked because the CEO is a numpty (not the actual clause, but you get the gist).

DigiCert then sent out urgent emails to all the RapidSSL buyers from Trustico telling them they had 24 hours to get a new cert or watch their online businesses crumble before their very eyes.

Trustico were jolly annoyed about all this. And Zane Lucas who claims to be a product manager at the security challenged reseller moaned on a Mozilla security policy newsgroup about it all.

No approval
In what was clearly a bit of a rant he snarled:
“We didn’t authorise DigiCert to contact our customers and we didn’t approve the content of their email”

Oh diddums.

He reckoned that there was nothing wrong with them. His CEO emailed them off and it was at THAT point they were compromised. Chinny reckon.

Trustico have now offered their customers free certificates.

But would you trust them after this? I wouldn’t.

Rating: 5.0/5. From 1 vote.
Please wait...

 

Leave a Reply

avatar
  Subscribe  
Notify of

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.