Trustico States They Stored Private Keys for Customers' SSL Certificates

Faybert

Faybert

Level 24
Thread author
Verified
Top Poster
Well-known
Jan 8, 2017
1,320
Trustico, a reseller of SSL certificates, has stated that they stored the private keys of some of the SSL certificates it issued to its customers over the past years. This came in the form of a statement Trutico posted on its website late last night.

Prior to the announcement, DigiCert and several security researchers implied that Trustico might have broken industry standards and the client-CA trust relationship by storing private keys for the SSL certificates it helped broker.

Only customers (site owners) should have access to a SSL certificate's private key. This is because anyone with a copy of the private key can impersonate a site's HTTPS connection or decrypt logged or real-time traffic meant for that site.
........................
........................
Click to expand...
 
  • Like
Reactions: Weebarra, Deleted member 65228, harlan4096 and 1 other person
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Quote : " the story short, Trustico wanted to move all its customers from Symantec's soon-to-be-distrusted infrastructure to Comodo certificates. It asked DigiCert —now in charge of Symantec's old SSL infrastructure— to mass-revoke 50,000 certificates. DigiCert declined, saying that only end-customers, and not the reseller, can initiate a revocation.

DigiCert said the only way Trustico would be able to mass-revoke so many certificates without client approval would be if the certificates were compromised. Trustico then sent the private keys of over 23,000 customers via email to DigiCert —effectively compromising the security and privacy of those certificates, triggering yesterday's mass-revocation. "

Source : Trustico States They Stored Private Keys for Customers' SSL Certificates
 
  • Like
Reactions: Weebarra, Faybert and Deleted member 65228
D

Deleted member 65228

What on earth?

Year after year we have so many scenario's regarding security breaches, lack of security and misinformation for security practices. Companies seem to be making the same mistakes as others constantly, or meeting brand new expectations for idiocy. Does nobody ever learn anything?

TLDR; don't use Trustico to obtain a code signing certificate.
 
  • Like
Reactions: Weebarra, upnorth and Faybert
You must log in or register to reply here.

Similar threads

upnorth
    • Like
Netgear Exposed Certificates
Replies
2
Views
1,038
News Archive
upnorth
upnorth
Faybert
    • Like
23,000 Users Lose SSL Certificates in Trustico-DigiCert Spat
Replies
0
Views
1,407
News Archive
Faybert
Faybert
SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
13,891
Other security for Windows, Mac, Linux
Warencom
W

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top