Strap in for this one: A bizarre mess in the world of security certificates has resulted in over 23,000 SSL certificates revoked in one fell swoop, accusations of malpractice and legal threats.
As to why the conflict started in the first place, we don’t exactly know.
Early Wednesday, thousands of customers began receiving emails from the security firm DigiCert saying their SSL certificates were being revoked because of a security compromise at Trustico.
Trustico, a SSL reseller, quickly and emphatically denied that any compromise took place. In response, DigiCert began posting numerous private keys — after the impacted certificates were changed — as proof of compromise.
Here’s the Wednesday morning email that started everything:
@digicert can you please explain the email I received from rapidssl/digicert blaming @MrTrustico for the revocation of my certs in 24hrs due to them reporting a compromise of the private keys? Where’s the proof of the report/breach? Why are you emailing me instead of trustico? pic.twitter.com/T6mBf1jbTO
— Mark (@mpag) February 28, 2018
After a strange and rapid sequence of events, Trustico’s management began subtly threatening defamation lawsuits while industry observers widely criticized their actions.
“A big element here is Trustico emailed 23,000 private certificates to another company,” security researcher Kevin Beaumont explained. “The whole certificate model is based around only the certificate owner — the customer — having the private key. So Trustico shouldn’t have even had the keys. It suggests the certificates have been exposed security-wise for some time, which defeats their purpose.”
Jeremy Rowley, a vice president at the security firm DigiCert, said Wednesday that Trustico asked for a mass revocation of all its customers’ certificates on the grounds that they were compromised. According to Rowley’s account, a back-and-forth between the two companies led Trustico to say it was holding all of its customers’ private keys.
“At my request for proof of compromise, we received a file with 23k private keys matched to specific Trustico customers,” Rowley said. “This definitely triggered our 24-hour revocation processing requirement under 18.104.22.168.3. Once we received the keys, we confirmed that these were indeed the matching private keys for the reported certificates. We will be revoking these certificates today (February 28th, 2018).”
SSL certificates serve to encrypt and secure connections to websites. When they are revoked, browsers recognize the site as insecure and often prevent users from visiting the site.
Zane Lucas, a general manager at Trustico, soon entered the discussion and denied Rowley’s version of events including that any compromise took place. In an email to customers, Trustico blamed the upcoming Google Chrome distrust of Symantec root certificates and said Rowley’s post was “absolutely defamatory” and will be investigated by Trustico’s lawyers.
Lucas’s side of the story is pretty strange as it stands. His claim boils down to disliking Symantec so much that he was willing to quickly cripple their own customers by revoking certificates. It’s an absolute mess of a case that stems from Trustico looking to revoke Symantec SSL Certificates because, Lucas claimed, Symantec cannot be trusted with security.
Later Wednesday, DigiCert then released a statement reiterating that “this has nothing to do with future potential distrust dates” and “Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys.”
Rowley then said he would soon post the private keys as proof. On Wednesday evening, he began doing just that.
If it’s true that Trustico has the private keys for its customers’ certificates, it means they could decrypt traffic. When anyone but the organization has the private key, that is, by definition, a compromise.
What comes next is unclear. Although it’s obvious that a compromise did take place and Trustico was wrong claiming otherwise, it’s not known how this dispute initially started and if the company did behave the way Rowley claims.
Trustico did not respond to a request for comment.
The story was updated to reflect that the compromise took place upon Trustico allegedly emailing private keys.