Trustico, a reseller of SSL certificates, has stated that they stored the private keys of some of the SSL certificates it issued to its customers over the past years. This came in the form of a statement Trutico posted on its website late last night.
Prior to the announcement, DigiCert and several security researchers implied that Trustico might have broken industry standards and the client-CA trust relationship by storing private keys for the SSL certificates it helped broker.
Only customers (site owners) should have access to a SSL certificate's private key. This is because anyone with a copy of the private key can impersonate a site's HTTPS connection or decrypt logged or real-time traffic meant for that site.
With the private key you can decrypt the traffic by MITM proxy the traffic (by presenting in middle with the private key) so this looks like it fundamentally broke security for a lot of orgs. I think there’s a can of worms here. We only knew ‘cos CEO messed up.— Kevin Beaumont (@GossiTheDog) February 28, 2018
There is no evidence that Trustico ever abused these private keys. The common belief is that Trustico logged the private keys via a tool it offered on its site to automate the SSL certificate issuance process.
Trustico published its statement as part of an argument with DigiCert. A timeline of events is available in our previous coverage here.
To put the story short, Trustico wanted to move all its customers from Symantec's soon-to-be-distrusted infrastructure to Comodo certificates. It asked DigiCert —now in charge of Symantec's old SSL infrastructure— to mass-revoke 50,000 certificates. DigiCert declined, saying that only end-customers, and not the reseller, can initiate a revocation.
DigiCert said the only way Trustico would be able to mass-revoke so many certificates without client approval would be if the certificates were compromised. Trustico then sent the private keys of over 23,000 customers via email to DigiCert —effectively compromising the security and privacy of those certificates, triggering yesterday's mass-revocation.
The move to email the private keys of its customers to DigiCert so it could move customers to a new Certificate Authority's (CA) infrastructure has not gone over well with the CA community.
The amazing thing is the private keys don’t even have a password on them. Why would a security and certificate company store these. Without passwords. And then email them to another company. It’s really, uh, yeah - somebody had a bad day. pic.twitter.com/XYctJyYEFb— Kevin Beaumont (@GossiTheDog) February 28, 2018
"To arrive at the conclusion that Trustico have been anything other than grossly negligent here is rather difficult," said Scott Helme, an information security consultant and an expert in the CA domain.
"Generation, storage and the apparent ease and willingness to further compromise the keys are all outrageously inappropriate," he added. "They could have trivially proven ownership of those keys without the need to zip 24k+ of them and send them via email. If these actions were motivated by business/politics as some suggest, it'd be ironic if their actions resulted in their removal as a reseller."
DigiCert reported the revocation incident on the Mozilla security mailing list, which is often used to discuss affairs of the CA/Browser Forum, the organization that sets and enforces the rules of the SSL/HTTPS industry. Members of this mailing list had concerns regarding Trustico's access to the private keys.
"Trustico doesn't seem to provide any hosting or CDN services that would make use of the private key, nor do they appear to explicitly inform users about the storage of this private key," said Eric Mill, Senior Advisor at the U.S. General Services Administration's Technology Transformation Service, hinting that there was no apparent reason for Trustico to keep copies of the private keys.
"The storage of private keys appears to be done without the user's knowledge or consent," he added. "Given everything that's known, then regardless of who emailed whose customers when and why, I think it's clear that Trustico compromised those keys [...], and has been routinely compromising customer keys for years."
"Given that there's no evidence that Trustico [...] indicated any intent to change their business practices, then I believe it's appropriate for all CAs to immediately suspend or terminate their relationship with Trustico," Mill added.
Mill also gets into the details of how Trustico apparently compromised everyone's private keys:
Security researcher Kevin Beaumont has been looking through the list of compromised certificates and discovered that some of these certificates were being used by organization's that require high security.
Beaumont says he found private keys for SSL certificates that were used to secure banking email servers just by looking at ten of the 23K now-revoked certificates.
Another one - the first certificate I looked at, where DigiCert now have the private key (ie it’s compromised) was a government banking email server, the certificate protecting the encryption of their email. So... TrustIco had that private key, w/o even a password, for XYZ years.— Kevin Beaumont (@GossiTheDog) February 28, 2018
Trustico have some big customers, eg Equifax, so this is going to have some interesting implications.— Kevin Beaumont (@GossiTheDog) February 28, 2018
In the end, Trustico is entitled and had the contractual right to change its SSL certificates reselling partner from DigiCert to Comodo due to Symantec's past security issues. The main concern among the community is how they went about doing it.
Sending private keys and causing thousands of clients to reconfigure their sites, which may have caused business losses, may not have been a good idea.