As a part of our emerging series of reviews on junk with “trust” in its name, as well as those on large-scale X.509 screw-ups, here are the news: Trustico compromised 23 thousand of private keys for X.509 certificates; then compromised them again, and a few more times, until it went public; then blamed DigiCert; then removed that statement.
X.509 PKI is a mess that relies on certificate authorities, which encourages shady schemes and doesn’t work well, yet it’s the best we’ve got so far with a wide adoption. Many CAs take payments for the minuscule calculations they have to perform in order to issue a certificate, sometimes adding an “insurance” that doesn’t quite mean what one may think it means (see also: Using Tor hidden services). It’s pretty bad as it is, but some go further and resell those certificates: they still have to get issued by a CA, of course, but a middleman finds its place even there somehow. It may look ridiculous, but so does every tiny bit of their website, so at least it matches.
Now, what they did is approximately the following, as summed up by Dan Goodin on Ars Technica, by Geoffrey Thomas on Twitter, and throwing in a reddit thread:
- Made a system featuring, among other things, shell command execution as root on their servers, a lot of marketing crap, and calling X.509 “SSL”.
- Have set high prices and added more of marketing bullshit, because it’s not possible to write all that at once without taking a laughing break, and probably consulting a lawyer. The main page alone is hard to read in one go: if you’re used to ditching bullshit, it’s very tempting to close it after every sentence.
- Lured the clients (“suckers”, as they are called in the industry) in.
- Collected user private keys, which they shouldn’t even have ever accessed. Granted, the users had to be unfamiliar with how it all works in order to hand their keys to Trustico (or generate them with it), but that’s also a prerequirement for choosing something like Trustico, so the coverage was high. That’s basically MitMing the users, as some companies like to do.
- Sent those keys by email, apparently intentionally compromising them in an attempt to revoke, and to switch to a different CA (from Symantec to Comodo).
- Saw a DigiCert statement, wrote their own statement, claiming that DigiCert asked them to send the private keys (there’s even something that looks like a quotation).
- Removed their own statement, serving an “error page” with prices instead.
Apparently switching from Symantec is caused by Google accusing Symantec of continuous certificate misissuance. Google shouldn’t be in charge of trusted CA certificate distribution, but web browsers can choose where they read trusted CA certificates from, so they can also choose to ship those, and to take control over a large chunk of the infrastructure, but it’s out of scope of this article. Comodo also has a history of screw-ups (and does extensive marketing, of course), but they aren’t getting distrusted yet.
While this system is awkward and broken on virtually every level, they manage to squeeze new levels, and both defraud the users and compromise their keys inside those. Pretty creative, but too bad that most of secure data transfer depends on something so stunningly moronic.
It actually gets tiresome to cover even large-scale screw-ups of (and/or user data abuse by) security-themed companies, since they happen so often: apparently the responsibility, including that for security, is most easily taken either by the entities that are irresponsible and/or clueless, or simply as a scam.