The security of tens of thousands of websites is in question after the CEO of a company that sells HTTPS certificates included the private keys for 23,000 customers in an email—an apparent attempt to force a revocation of the customers’ certificates.
HTTPS certificates form the foundation of the encrypted web. Issued to website operators by trusted certificate authorities, certificates are necessary to form an encrypted connection between your browser and the website you’re visiting—and that encrypted connection protects sensitive data you might share with the website, like a password or credit card details. Each certificate has a public key, which it sends to your browser to initiate an encrypted connection, and a private key, which needs to stay private.
It’s a delicate ecosystem, and private keys are generally only supposed to be accessible to the site owner—which is why it’s absolutely bizarre for the CEO of a company that sells certificates to not only have access to customers’ private keys, but to email them around willy-nilly. It’s as if someone at the DMV somehow got access to 23,000 people’s Social Security numbers and decided to email them to one of their drinking buddies.
The rogue emailer in this case is the CEO of Trustico, a vendor that re-sells certificates issued by two authorities, Comodo and Symantec. The private keys were emailed to Jeremy Rowley, an executive vice president at the certificate authority DigiCert. DigiCert recently acquired Symantec’s certificate business after Symantec was found to be violating industry standards and Chrome announced that it would distrust Symantec’s certificates.
Rowley detailed the exchange with Trustico on a mailing list. Trustico emailed DigiCert in early February, Rowley said, requesting that all of its customers’ certificates be revoked—a signal that the certificates shouldn’t be trusted by browsers. DigiCert’s policy is to only revoke certificates if there is evidence that they’ve been compromised, or if a website operator requests it.
“Later, the company shared with us that they held the private keys and the certificates were compromised, trying to trigger the [Baseline Requirement]’s 24-hour revocation requirement. However, we insisted that the subscriber must confirm the revocation request or there must be evidence of the private key compromise,” Rowley wrote. On February 27th, Rowley asked Trustico to back up its claim that its customers’ certificates had been compromised.
Trustico responded with a file containing “23k private keys matched to specific Trustico customers,” Rowley said. Exposing the private keys in an email compromised the certificates, prompting DigiCert to revoke them.
“We believe the orders placed via our Symantec account were at risk and were poorly managed. In good conscience we decided it wasn’t ideal to have any active SSL Certificates on the Symantec systems, nor any that didn’t meet our stringent security requirements,” Trustico said in a statement.
Re-sellers like Trustico aren’t supposed to maintain customers’ private keys at all, raising questions about how the company obtained them. “Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys,” Rowley wrote.
Trustico later claimed that it wanted its customers’ certificates revoked because of Chrome’s upcoming plan to distrust Symantec certificates. “Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates,” DigiCert said in a statement. In its own statement, Trustico claimed it had pulled the private keys from “cold storage.”
Resellers like Trustico aren’t held to the same security standards as certificate authorities, Chrome engineer Ryan Sleevi explained on Twitter. “Many seem to assume it’s like selling fidget spinners—easy profit off easy marks—without appreciating the responsibility it brings,” he said. “You see a proliferation of Resellers, in their quest to ‘make it easy,’ do all sorts of terrible things—such as generate the key themselves, or encourage customers to send their keys to them. They have no incentives for good security—just for making sales.”