Customers of a UK-based SSL certificate reseller have been told abruptly that their certs will be revoked today due to security concerns, after a feud between the firm and DigiCert.
The revocation of a whopping 23,000 certificates by the root certificate authority (CA) will leave countless businesses high and dry and means that visitors to the associated websites will be met with a security warning saying the site cannot be trusted.
The two parties have told conflicting versions of events, which revolve around Trustico, a UK reseller of Symantec group certificates, including GeoTrust, Thawte, and RapidSSL. DigiCert bought the ailing business from the security giant last August.
DigiCert chief product officer, Jeremy Rowley, alleged in a post on Wednesday that the reseller initially made contact in early February ordering a mass revocation of 50,000 certificates, claiming it held the private keys and that the certs had been compromised.
Given the large number of certificates involved, DigiCert said it demanded that “the subscriber must confirm the revocation request or there must be evidence of the private key compromise.”
“On 2/27/2018, at my request for proof of compromise, we received a file with 23k private keys matched to specific Trustico customers. This definitely triggered our 24-hour revocation processing requirement under 4.9.1.1.3. Once we received the keys, we confirmed that these were indeed the matching private keys for the reported certificates. We will be revoking these certificates today (February 28th, 2018),” Rowley continued.
“At this time, Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys. As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys.”
However, Trustico has hit back.
General manager, Zane Lucas, argued that the private keys were never compromised, and it never told DigiCert they were.
“During our many discussions over the past week we put it to you that we believe Symantec to have operated our account in a manner whereby it had been compromised. Your usage of the word compromise has been twisted by you to your benefit and is absolutely defamatory,” he continued.
“We believe the orders placed via our Symantec account were at risk and were poorly managed. We have been questioning Symantec without response as to concerning items for about a year. Symantec simply ignored our concerns and appeared to bury them under the next issue that arose.”
Lucas claimed Trustico was so concerned about “various reckless issues” that it stopped offering Symantec brands in early February. Its contract was then terminated on February 25 by DigiCert “after we put to you that we intended to seek a legal opinion in respect to the operation of our account and security concerns.”
Lucas did admit, however, that the plan the firm had to replace all affected customers’ SSL certs “failed to perform this function” and the firm “ended up in quite a mess.”
Aside from the bickering between the two companies, commentators on Twitter have suggested the real concern is that the reseller appeared to have copies of customers’ private keys and then emailed them.
“People seem to be burying the lead with the @MrTrustico mass certificate revocation. Trustico was storing private keys for it's customers (something it never should have had, let alone stored,). That's not how CA's are supposed to work,” said @MalwareJake.
“With the private key, the CA can absolutely impersonate you.”
Nick Hunter, senior technical manager at certificate security firm Venafi, added that snafus like this are more likely to happen when organizations allow a third party to manage their keys.
“Organizations need to perform immediate risk assessments of their key and certificate management program, from issuance to revocation — and this incident proves why,” he added. “The only way to protect yourself from these kinds of situations is to control key generation yourself using an automated, centralized key management solution.”
The remaining 27,000 certificates have yet to be revoked by DigiCert.