On Tuesday, the CEO of UK certificate reseller Trustico decided to settle an argument with Digicert executive VP Jeremy Rowley by emailing him the private keys for 23,000 TLS certificates that had been issued by Symantec’s disgraced Certificate Authority, to prove they had been compromised.
Symantec was once one of the internet’s leading Certificate Authorities, empowered to issue the cryptographic credentials that secure HTTPS browser sessions and other private communications. They were caught in a series of grievous security shortcomings, thanks to the Certificate Transparency system, which captures and displays nearly every certificate seen in the wild, producing incontrovertible evidence of cheating and incompetence.
Digicert inherited Symantec’s Certificate Authority business; Trustico was once a reseller for Symantec and had issued 50,000 Symantec certificates that the Trustico claimed had been compromised (Trustico is not a Digicert reseller; if the certificates were revoked, Digicert could get 50,000 new paydays by selling certificates from one of its other suppliers). Digicert’s Rowley doubted this, so Trustico’s CEO just emailed him the private keys.
Certificate Authorities are not permitted to retain these keys. Trustico says it kept them in “cold storage,” a meaningless buzzphrase that in no way excuses a major breach of its duty as a reseller for a Certificate Authority.
Trustico’s website went offline shortly after the news of this protocol breach broke; a researcher revealed a serious security flaw in the site that would let attackers gain root privileges on Trustico’s servers and execute arbitrary code.
Prior to the introduction of Certificate Transparency, many security researchers had voiced concern that the practices of Certificate Authorities were inadequately scrutinized and ripe for abuse. Since so much of the internet’s security depends on CAs behaving themselves, and since a single rogue CA could compromise any session or communication, bad conduct among CAs presented a nearly infinite risk to the security of the internet and its users.
“During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised,” the Trustico officials wrote. They continued: “We believe the orders placed via our Symantec account were at risk and were poorly managed. We have been questioning Symantec without response as to concerning items for about a year. Symantec simply ignored our concerns and appeared to bury them under the next issue that arose.”
23,000 HTTPS certificates axed after CEO emails private keys [Dan Goodin/Ars Technica]