DISCLAIMER: Integris is a DigiCert partner. The views expressed in this article focuses more on Trustico’s poor security practices rather than any personal relationship we might have with DigiCert
In mid-February, Trustico made a power play in a fight against DigiCert that forced the website security powerhouse to revoke 23,000 HTTPS certificates. Not only did it cause a major headache for 23,000 SSL certificate holders and those at DigiCert, but it revealed just how underhanded and insecure Trustico business practices are.
We don’t ultimately know what caused DigiCert and Trustico’s relationship to deteriorate. We can speculate it began as result of internet browsers like Google Chrome and Mozilla Firefox rejecting Symantec-branded (and DigiCert issued) certificates, leading Trustico to favor certificates issued by Comodo instead.
The rejection of Symantec-branded certificates by Google and Mozilla isn’t unexpected or entirely out of the blue. Both developers had previously announced they’d be abandoning support for Symmantic-branded certificates in 2018 that were created before June 1st, 2016.
Google has also announced they will blackball Symantec certificates all together in a future Chrome update (Version 70 which is due out sometime this year).
Trustico had initially claimed it was this change that caused the issues experienced with Symantec-branded certificates and is the main reason why they wanted DigiCert to revoke the 50,000 SSL certificates before changing their tune and saying the certificates were “compromised.”
Ars Technica speculates (and I agree with them) (https://arstechnica.com/information-technology/2018/03/23000-https-certificates-axed-after-ceo-e-mails-private-keys/) that Trustico tried to get 50,000 SSL certificates revoked in mass by DigiCert so that they could in turn issue brand-new Comodo certs to their customers instead.
Jeremy Rowley, a VP at DigiCert agreed with that speculation in a Google Email Group statement. Rowley said DigiCert had the 23,000 keys emailed to him after he told Trustico’s CEO that without evidence the certificates were compromised.
Rowley said Trustico shared the 23,000 private keys with DigiCert to trigger a baseline-response 24-hour revocation requirement (https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/wxX4Yv0E3Mk).
Rowley said that ultimately it didn’t matter whether or not the 50,000 certificates had been compromised at the start. Once Trustico’s CEO emailed over the private keys DigiCert had no choice but to revoke them.
Trustico says they hold on to private keys in case the certificate needs to be revoked. All of Trustico’s keys are kept in “cold storage” (typically meaning storage that’s not connected to the internet). This is where things start to get hairy, and it makes our skin crawl.
What does it matter if Trustico stored private keys or not?
Let’s get into how SSL/TLS certificate keys work. Every certificate has two keys. A public key and a private one. The public key is embedded in the actual SSL certificate, and the private key is stored (securely) somewhere on the server. It’s not public facing and should be kept secret.
When someone visits your website and fills out a form with personal information (PII), that info gets encrypted by the public key and then decrypted by the private key for further processing. This process keeps that PII data safe from prying eyes and professional snoops.
No one can decrypt that information without the private key. Without the private key, any data encrypted by the public key is useless. The only person who’s supposed to have the private key is the owner of the certificate.
By keeping those public keys, Trusico violated a fundamental security best practice. Whether or not those keys were in “cold storage,” or not, the very fact they held on to them means there was a chance they could have been compromised.
On top of that, the 23,000 private keys were sent by email to Rowley. Email! I don’t think we need to get into how insecure and irresponsible that is from a security standpoint.
Add these things together, and you start to get an excellent idea of how important (or rather unimportant) Security is to Trustico. Quite frankly, we don’t think we’d be caught even looking in their general direction let alone consider doing business with them. They only have their own best interests at heart, not the security of their customers.