23000 HTTPS Private Keys were compromised by Trustico

The Customers of Trustico have been informed about a major security issue when the CEO of the company has sent 23,000 private HTTPS keys in an Email to a partner of the company. Those private keys are meant to be kept secret and should never be archived by the resellers but when the Company’s Chief was able to attach more than 20K is raising concerns among the customers.

Although some critics are implying that Trustico emailed the keys in an attempt to lure customers with Comodo issued certificates moving from the Symantec issued certificates, In a statement, Trustico officials said that keys were recovered from the “Cold Storage”(Offline Storage) systems.

“Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process,” the statement read. “These Private Keys are stored in cold storage, for the purpose of revocation.”

Under the requirements of Issuance and Management of Publicly-Trusted Certificates, resellers aren’t permitted to archive the private keys of the customers although Symantec is the company that needs to make sure these kinds of violations doesn’t occur. In a real-world scenario, there is no possible way for Symantec to detect this violation.

According to DigiCert’s Chief Product Officer Jeremy Rowley, all the 23,000 Keys must be revoked and the customers needed to be supplied with the new keys. As a standard security practice for a Certificate Authority, the company cannot have the keys in their possession. There are additional certificates the reseller requested to have revoked, but DigiCert has decided to disregard that request until we receive proof of compromise or more information about the cause of this incident.

Finally, Trustico website has gone down after a Security Researcher posted a critical flaw that could allow customers to validate certificates to check if their private keys are properly installed on their websites which allowed the attackers to run malicious code on Trustico servers with ROOT Privileges.

Take your time to comment on this article.

Sources:

Register, ArsTechnica, ZDNet

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil