On Tuesday, the CEO of UK certificate reseller Trustico decided to
settle an argument with Digicert executive VP Jeremy Rowley by emailing
him the private keys for 23,000 TLS certificates that had been issued by
Symantec’s disgraced Certificate Authority, to prove they had been
compromised.
Symantec was once one of the internet’s leading Certificate Authorities,
empowered to issue the cryptographic credentials that secure HTTPS
browser sessions and other private communications. They were caught in a series of grievous security shortcomings, thanks to the Certificate Transparency
system, which captures and displays nearly every certificate seen in
the wild, producing incontrovertible evidence of cheating and
incompetence.
Digicert inherited Symantec’s Certificate Authority business; Trustico
was once a reseller for Symantec and had issued 50,000 Symantec
certificates that the Trustico claimed had been compromised (Trustico is
not a Digicert reseller; if the certificates were revoked, Digicert
could get 50,000 new paydays by selling certificates from one of its
other suppliers). Digicert’s Rowley doubted this, so Trustico’s CEO just
emailed him the private keys.
Certificate Authorities are not permitted to retain these keys. Trustico
says it kept them in “cold storage,” a meaningless buzzphrase that in
no way excuses a major breach of its duty as a Certificate Authority.
Trustico’s website went offline shortly after the news of this protocol
breach broke; a researcher revealed a serious security flaw in the site
that would let attackers gain root privileges on Trustico’s servers and
execute arbitrary code.
Prior to the introduction of Certificate Transparency, many security
researchers had voiced concern that the practices of Certificate
Authorities were inadequately scrutinized and ripe for abuse. Since so
much of the internet’s security depends on CAs behaving themselves, and
since a single rogue CA could compromise any session or communication,
bad conduct among CAs presented a nearly infinite risk to the security
of the internet and its users.
