Slashdot Mirror

← Back to Stories (view on slashdot.org)

23,000 HTTPS Certs Axed After CEO Emails Private Keys (arstechnica.com)

Posted by EditorDavid on from the see-attachments dept.

An anonymous reader quotes Ars Technica: A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec...

In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security... In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems. "Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."
"There's no indication the email was encrypted," reports Ars Technica, and the next day DigiCert sent emails to Trustico's 23,000+ customers warning that their certificates were being revoked, according to Bleeping Computer.

In a related development, Thursday Trustico's web site went offline, "shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers."

72 comments

  1. Bullet, Meet Foot by mentil · · Score: 1

    When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates

    Those certificates are DEFINITELY compromised now.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Bullet, Meet Foot by TechyImmigrant · · Score: 2

      When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates

      Those certificates are DEFINITELY compromised now.

      TFA seems to imply that he emailed the private keys in order to prove that they were compromised. Which seems like an appropriate thing to do.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re: Bullet, Meet Foot by Anonymous Coward · · Score: 0

      As per Slashdot rules, i have not read the article.

      Why the fuck did the CA have the Private Keys of these domains? You send the CSR to them, but keep the private key PRIVATE. That's the whole point!

    3. Re:Bullet, Meet Foot by mysidia · · Score: 1

      ... Which seems like an appropriate thing to do.

      No... it is NOT appropriate for a CA or a reseller of a CA to retain customers' private keys in the first place --- it is even MORESO inappropriate for a CA to deliberately extract and use in any manner for any purpose a customer's private key from "secure cold storage" without that customer's specific authorization.

      Basically this changed the situation from "There are security concerns related to this certificates", to --- This CA reseller deliberately compromised the security of their customer's certificates by appropriating their private keys during the ordering process and then later transmitting them insecurely over the internet.

    4. Re: Bullet, Meet Foot by dimko · · Score: 1

      because... managed SSL services. For people with more money than sense. In a nutshell, you pay them for that service and installation of SSL certs is now their business. Potentially maintenance too.

    5. Re:Bullet, Meet Foot by Nkwe · · Score: 4, Insightful

      When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates

      Those certificates are DEFINITELY compromised now.

      The first to shoot themselves in the foot would be anyone who doesn't generate their own private key when they purchase a certificate. The CA is only supposed to sign the public parts of your certificate, it is not supposed to ever have access to the private key. Letting your certificate vendor create a private key (and subsequently have access to it) is unwise and insecure.

    6. Re:Bullet, Meet Foot by Solandri · · Score: 1

      No... it is NOT appropriate for a CA or a reseller of a CA to retain customers' private keys in the first place

      I'm guessing that was the compromise Trustico was reporting. The private keys should've been deleted immediately after they were generated for the customer. But Trustico probably found during an audit that they hadn't been deleted and were still on their servers somewhere. Since they couldn't prove that those private keys hadn't been copied, they erred on the side of caution and declared them all compromised.

    7. Re: Bullet, Meet Foot by Anonymous Coward · · Score: 0

      What do you mean, more money than sense? SSL is a racket, whether you do it "properly" or not. The security is just not there for anything worth attacking. There are dozens of things that you can do and have to do that have only become available recently (but not universally) in order to close the biggest holes in the TLS scheme. For example, any CA can issue a certificate for your domain, even one where the CEO sends thousands of private keys by email. (By the way, that was the responsible thing to do. He could have just sat on the keys, knowing that the previous owners probably had a copy.) To prevent that, there is certificate pinning and CAA RRs. But wait: CAA RRs are an honor system. And in many scenarios, the private key is handed over to a third party anyway, because who really terminates TLS on their own web servers in their own building anymore? Nobody, that's who. There's CDNs, DDoS-mitigators, load balancers, and reverse proxies, and they all need to be in the unencrypted path to do their work. So someone handed over their private keys to a CA, which they have to trust anyway not to issue additional certificates. Boo hoo.

    8. Re:Bullet, Meet Foot by Anonymous Coward · · Score: 0

      Nope. They admitted that they store the keys intentionally specifically so they can revoke the certificates later without customer permission.

    9. Re:Bullet, Meet Foot by gweihir · · Score: 3, Insightful

      The level of stupidity expressed in this is staggering. I mean it is not only the fact that somebody with the least bit of clue would never email secret keys without protection, it also is that he could get them in the first place and do this. This means that DigiCert is completely compromised itself due to non-existing or easily bypassed security policies and should under no circumstances be trusted again.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Bullet, Meet Foot by thegarbz · · Score: 1

      Those certificates are DEFINITELY compromised now.

      Wrong analogy. Bullet meets foot implies that the action of the CEO achieved something other than what he was hoping. He wanted to revoke those certificates anyway, and when questioned whether they were compromised he compromised them.

      Nail meets coffin.

    11. Re: Bullet, Meet Foot by Anonymous Coward · · Score: 0

      But realistically, to do anything useful with someone's key you also need to control their dns. And if you control their dns you can recreate new certs anyways. I don't see the value of having those keys.

    12. Re:Bullet, Meet Foot by Shuntros · · Score: 2

      You do not need a private key to revoke a certificate. You need the certificate serial number.

      The issuer should NEVER set eyes on a private key which isn't theirs. If you want to make life easier for your customer, do it client-side with JavaScript and throw a PFX at them once the issuance has completed.

      It still stuns me how many in tech, even CAs, have such a poor understanding of how PKI works.

    13. Re: Bullet, Meet Foot by Anonymous Coward · · Score: 0

      Not true. You need the ability to influence the clients DNS. Access to their DNS server, even their hosts file etc.

    14. Re:Bullet, Meet Foot by mysidia · · Score: 1

      You do not need a private key to revoke a certificate. You need the certificate serial number.

      As a reseller, they wouldn't have any legal right to revoke the certificate without customer permission -- that should be an act of the CA.

      Notice how in the article that DigiCert Demanded Proof of the compromise?

      Hopefully now that this has happened: DigiCert will be more reluctant to permit this reseller in the future to have their own custom ordering process --- I would say they should suspend this reseller until they agree to a contract addendum that they will neither generate nor obtain or store private keys for customer certificates.

    15. Re:Bullet, Meet Foot by phantomfive · · Score: 1

      It makes you wonder how the CEO got the keys to begin with.

      --
      "First they came for the slanderers and i said nothing."
    16. Re:Bullet, Meet Foot by Anonymous Coward · · Score: 0

      If they weren't compromised then the CEO wouldn't even have those keys in the first place. The headline leads the reader to believe that the CEO was the one who compromised the keys, but in fact they were already compromised and the CEO sent those keys as proof that they needed to be revoked.

      When a site-owner requests a certificate he makes his own private keys and keeps them private. The certificate request sent to the CA (or reseller, in this case) is made using the public key, not the private one.

    17. Re:Bullet, Meet Foot by Megane · · Score: 1

      DigiCert didn't mail the private keys, Trustco's PHB did.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    18. Re: Bullet, Meet Foot by Anonymous Coward · · Score: 0

      un^Wlawfull interception. They can sell the keys to Government / "security" appliance vendors for completely transparent interception. They could claim immunity if anything happened by saying they were hacked or something.

      Second thing I do in any browser is UNTRUST EVERY FUCKING CA. First is install an adblock.

    19. Re:Bullet, Meet Foot by Anonymous Coward · · Score: 0

      Not so much, if you'd read the summary.

    20. Re:Bullet, Meet Foot by gweihir · · Score: 1

      Ah, sorry. Thanks for the correction. Then my statement applies to Trustco.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    21. Re:Bullet, Meet Foot by TechyImmigrant · · Score: 1

      >No... it is NOT appropriate for a CA or a reseller of a CA to retain customers' private keys in the first place

      Well that's not what I said, is it?

      Emailing the keys to someone is an appropriate way to prove to them that the keys have been compromised. Now go and be contrarian somewhere else.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    22. Re:Bullet, Meet Foot by modmans2ndcoming · · Score: 1

      ever here of secure file shares?

    23. Re:Bullet, Meet Foot by Anonymous Coward · · Score: 0

      Yes... and yet, this is perfectly normal. In my experience 99% of company employees, especially those is management and above, have no actual understanding of security.

    24. Re:Bullet, Meet Foot by FormOfActionBanana · · Score: 1

      I don't get the fuss. If they are compromised, they are compromised.

      --
      Take off every 'sig' !!
    25. Re: Bullet, Meet Foot by Anonymous Coward · · Score: 0

      Its in the summary just fyi, no need to read the article

    26. Re:Bullet, Meet Foot by Anonymous Coward · · Score: 0

      Emailing the keys to someone is an appropriate way to prove to them that the keys have been compromised.

      The keys are compromised for sure so its not inappropriate, but a better method might have been to sign something with the keys as proof instead. Though either way the keys are just as bad off. Now why did digicert only suspend 23k keys instead of the full 50k as was initially reported? digicert is in essence saying they must send all 50k keys before they'll suspend them.

    27. Re:Bullet, Meet Foot by Anonymous Coward · · Score: 0

      The first to shoot themselves in the foot would be anyone who doesn't generate their own private key when they purchase a certificate.

      On the one hand that is right and the correct thing to do. On the other hand you already trust Trustico to handle your certificates, so giving them access to a specific private key might not make matters worse as long as you don't use it for anything else - they don't need your private key to pretend to be you, they can just sign their own.

    28. Re: Bullet, Meet Foot by TheRaven64 · · Score: 1

      This is only true if the domain uses DNSSEC. Most laptops / phones trust whatever DNS server the access point that they're connected to tells them to use via DHCP. If you set up a malicious AP then you can return your own server address for the compromised domains. If you deploy malware that infects a few thousand vulnerable WiFi routers then you can do this on a large scale quite easily.

      --
      I am TheRaven on Soylent News
    29. Re:Bullet, Meet Foot by TechyImmigrant · · Score: 1

      Emailing the keys to someone is an appropriate way to prove to them that the keys have been compromised.

      The keys are compromised for sure so its not inappropriate, but a better method might have been to sign something with the keys as proof instead. Though either way the keys are just as bad off. Now why did digicert only suspend 23k keys instead of the full 50k as was initially reported? digicert is in essence saying they must send all 50k keys before they'll suspend them.

      My crystal ball isn't working today. It seems like a really bad idea to be a CA and have people's private keys on file. It seems like a bad idea to be taking people's word for it when you're in a position of issuing revocations. Not my CA. The real CA I set up (in a former job role) held onto nothing but its own keys and the cert list. Certs are needlessly complicated, but you can and should make the process as simple as possible.
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    30. Re:Bullet, Meet Foot by mysidia · · Score: 1

      The keys are compromised for sure so its not inappropriate, but a better method might have been to sign something with the keys as proof instead.

      What they showed wasn't proof of the compromise the reseller had been claiming happened. What they showed was proof that the reseller had (IMPROPERLY and DELIBERATELY) retained customer private keys, WHICH IS INAPPROPRIATE --- and the reseller then literally compromised their keys (that might not have been compromised before) to "prove" it, which was ALSO highly inappropriate.

      why did digicert only suspend 23k keys instead of the full 50k as was initially reported?

      None of the keys are KNOWN compromised according to the reseller, Only suspected that they could have been, and ultimately it's the customer's decision how to proceed if there's merely a suspicion or belief ---- PROOF would have been obtaining compromised Keys through the flaw, not going to deliberately retained cold storage files and retrieving customer keys.

  2. That's Nothing by NicknameUnavailable · · Score: 1

    Sophos has a trusted root CA embedded in their enterprise firewalls which allows the firewall to launch man-in-the-middle attacks against clients to spy on them. That means all you have to do to launch a successful man-in-the-middle attack yourself against HTTPS traffic is to gut a Sophos firewall and find the private key embedded in it.

    1. Re:That's Nothing by Pinky's+Brain · · Score: 1

      They use the same key pair for every firewall?

    2. Re:That's Nothing by Nkwe · · Score: 1

      Sophos has a trusted root CA embedded in their enterprise firewalls which allows the firewall to launch man-in-the-middle attacks against clients to spy on them. That means all you have to do to launch a successful man-in-the-middle attack yourself against HTTPS traffic is to gut a Sophos firewall and find the private key embedded in it.

      You would have to install the root cert certificate from the firewall CA into all your clients for that to work. In an enterprise if you want to sniff HTTPS traffic, you may chose to do this (since in an enterprise you control the client machines), but as soon as you chose to do this, you open up huge security holes.

    3. Re:That's Nothing by NicknameUnavailable · · Score: 1

      They use a keypair that's embedded into all the major browsers as a trusted root CA - so chances are yeah.

    4. Re:That's Nothing by NicknameUnavailable · · Score: 1

      Nope, it's included in all the major browsers (I only noticed it after installing a privacy-geared browser far from the mainstream which didn't include the bundled root CAs for Sophos.)

    5. Re:That's Nothing by BlueUnderwear · · Score: 1

      Does anybody know which root CA this is? So that I can mark it "untrusted" locally in my Firefox.

      --
      Say no to software patents.
    6. Re: That's Nothing by orbit500 · · Score: 1

      Thatâ(TM)s really not true though, is it? There is an appliance CA keyed for the machine and which generates an appliance cert. The CA is NOT in the default trust store of any browser. It has to be explicitly downloaded from the appliance and added to trust. No idea where you got that nonsense from!

    7. Re: That's Nothing by Anonymous Coward · · Score: 0

      Enterprise proxies that do ssl mitm cause not only security problems, but also all kinds of software problems because many tools like npm won't know about the local CA by default. And it's not always easy to fix it, because some tools can use other tools (like mvn calling npm or pip) in public open source repos, and so forth. It becomes a fool's errand.

    8. Re: That's Nothing by Anonymous Coward · · Score: 0

      Correct. My guess is he is in an enterprise where someone is pushing cert keys to the clients.

    9. Re:That's Nothing by Anonymous Coward · · Score: 0

      Can you dig out the keypair and post the requisite info about it here? You can't use a root CA this way, so if they did it would be revoked immediately if it became public. Your local admin staff might have included additional CAs in the browser though, make sure that isn't the case.

    10. Re:That's Nothing by Anonymous Coward · · Score: 0

      Have you looked at the CA's installed?? What do you think those Entrust certs are for. They aren't the only ones either, hell China is still trusted.

      Mozilla, nor Google will do _anything_ about these. SSL extortion (the fees for certs) is a massive business.

    11. Re: That's Nothing by NicknameUnavailable · · Score: 1

      Firefox, Chrome, Opera, IE, and Safari didn't complain about it - I switched to a more secure version of Firefox with locked down privacy features when I noticed it, turns out they don't include the certs allowing for corporations to override websites to monitor traffic going over their network.

    12. Re:That's Nothing by modmans2ndcoming · · Score: 1

      it was a re-seller that did this, not the root. DigiCert is the root and they asked for proof from the re-seller that the keys were compromised before they revoked them. The re-seller CEO sent the private keys to DigiCert via standard email with no protection.

    13. Re: That's Nothing by Anonymous Coward · · Score: 0

      Our sohpos IS a ca, generating certificates on the fly for https decryption. The root CA cert is pushed out via domain group policy. It is untrusted on workgroup machines that dont get the gp updates.

    14. Re:That's Nothing by Anonymous Coward · · Score: 0

      BlueCoat Systems, Inc. and many other "re-encrypting proxy" appliance vendors do exactly the same thing. This is why SSL/TLS is absolutely worthless to anybody inside any Top 1,000 company.

  3. I call BS by Anonymous Coward · · Score: 0

    The CA does not have to store customers' private keys in order to be able to revoke certificates. They just need to publish a signed list of revoked serial numbers.

    1. Re: I call BS by Anonymous Coward · · Score: 0

      I agree.

      I would also question why anyone would recommend the certs.

      I would start by revoking the CA.

      Why should I have to check every cert isn't in a list of 23,000 bad ones? Seems like it would bee better to revoke the lowest CA cert and make them reissue to everyone under it.

       

  4. Idiots. by Narcocide · · Score: 1

    What, were they just loose on his desktop next to the vacation photos?

    1. Re:Idiots. by Anonymous Coward · · Score: 0

      What, were they just loose on his desktop next to the vacation photos?

      Probably exactly that. In a folder on his laptop he carries around.

    2. Re:Idiots. by Anonymous Coward · · Score: 0

      Right next to the image of his music degree.

  5. Is SSL just "Security Theater"? by Anonymous Coward · · Score: 0

    Sure feels like it. "The practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to achieve it."

    1. Re: Is SSL just "Security Theater"? by jecowa · · Score: 1

      I think SSL is good technology, but the certificate authorities are a scam. I believe you can create your own certificates for free and without some third-party having access to the key and make money from selling it to you.

      --
      my opportunity to freely express myself with the potential persecution and hangings and such
    2. Re: Is SSL just "Security Theater"? by Anonymous Coward · · Score: 0

      > I believe you can create your own certificates for free

      I'm pretty sure I could create a certificate purporting to be google.com. Now if I want to MITM you, you just need to trust my cert. Keeping trusted signing authorities should prevent that. I still get your scam commentary, but the idea of the system is that there's a web of trust going up to someone who can be held responsible.

    3. Re: Is SSL just "Security Theater"? by Anonymous Coward · · Score: 0

      I think you need to do some reading to understand the problem CA's were created to solve.

    4. Re: Is SSL just "Security Theater"? by Anonymous Coward · · Score: 0

      Now if I want to MITM you, you just need to trust my cert. Keeping trusted signing authorities should prevent that.

      Nope. For that to work, you would need trustworthy certificate authorities. Of which there are approximately zero. But that doesn't even matter, because by design, if even one CA is not trustworthy, the whole system stops being trustworthy.

      In security, "trusted" simply means someone who can compromise your security at will. If your trusted people are also trustworthy, that's all fine. But that's not how it works in the real world. Your trusted people come as a list bundled with you browser, and nobody even looks through the list, much less verify the trustworthiness of any CA on the list.

    5. Re: Is SSL just "Security Theater"? by Anonymous Coward · · Score: 0

      The problem CA's were created to solve?

      A way of standardize on a set of root certificates without care for the (lack of) trustworthiness of those issuing certificates.

  6. Oh Well, by rotorbudd · · Score: 1

    Dumbasses gotta dumbass.

    --
    A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
  7. I might be dumb... by Anonymous Coward · · Score: 0

    But why the fuck isn't the PUBLIC key signed, and the end user sends a message to the private key to verify it is authentic?

    This way only the public part of the signed certificate needs to be provided, but the certificate authority's signing of the public certificate would make it obvious that the remove host did/didn't match the associated metadata (ie hostname/key signature/etc.)

    I will personally just stick to self signed certificates for exactly this private key threat model, but obviously the entire chain of trust is untrustworthy in this day and age.

    1. Re:I might be dumb... by TheRaven64 · · Score: 2

      But why the fuck isn't the PUBLIC key signed, and the end user sends a message to the private key to verify it is authentic?

      It is. You generate a certificate signing request (CSR) from your certificate (which embeds the public key and the metadata fields such as organisation name, host name and so on). You send the CSR to your certificate authority (CA). The CA then gives you back a signed certificate (which may strip out some fields from the cert that the CA doesn't want to attest to). The key exchange phase of TLS then sends the certificate to the client, which can walk the certificate chain to verify that someone (hopefully someone trustworthy) is willing to attest that the public key belongs to the organisation that you think you are communicating with. The client then encrypts using the public key and the server decrypts using the private key.

      I will personally just stick to self signed certificates for exactly this private key threat model

      You use self-signed certs for a threat model that doesn't exist? This problem existed only because they had customers that decided to outsource certificate creation to them, which is a bad idea and would have failed a security audit.

      but obviously the entire chain of trust is untrustworthy in this day and age

      If you get a CA to sign your certificate then, at worst, it is no less secure than if you don't. You are still free to distribute the hash out of band and check it. You are still able to use certificate pinning to ensure that you notice if it has unexpectedly changed. And if you don't sign it, then a malicious CA (e.g. one compromised by an intelligence agency) is still able to sign a cert claiming to be yours and have other people trust it. If you use DNSSEC and publish CAA records then you can at least narrow this down to one CA that they must compromise.

      --
      I am TheRaven on Soylent News
  8. Either encrypt your email or stop using it by Murdoch5 · · Score: 1

    If you're using email in 2018 and it's not encrypted it, stop using it, simple! The average person and especially executives, have no sense of security or secure operations. I can point to numerous companies, where even the CTO's and CSO's are widely unqualified to hold those positions, and they would and have, send non-encrypted email containing very sensitive information.

    If society isn't going to grow up and start encrypting all email communication, then it's time to get rid of email.

  9. Never give your CEO... by Tony+Isaac · · Score: 2

    Many CEOs are just technical enough to be dangerous. Never give your CEO:
    - Direct access to your database server
    - Administrator passwords of any kind, even to their own laptop
    - Access to server rooms
    - PRIVATE KEYS!

    You CAN give a CEO a MacBook Air. They'll be happy with the sleek design, and they won't be able to do much damage, since not a lot of "work" software actually runs on it.

    1. Re:Never give your CEO... by Anonymous Coward · · Score: 0

      Many CEOs are just technical enough to be dangerous. Never give your CEO:
      - Direct access to your database server
      - Administrator passwords of any kind, even to their own laptop
      - Access to server rooms
      - PRIVATE KEYS!

      You CAN give a CEO a MacBook Air. They'll be happy with the sleek design, and they won't be able to do much damage, since not a lot of "work" software actually runs on it.

      You can also give a CEO a great big níggerdick in the mouth!

  10. And once again by Anonymous Coward · · Score: 0

    This is just another reason why I will NEVER trust a UK service of any kind for web hosting or cloud storage. Those idiots wouldn't take privacy seriously if each citizen were bent over and had a CCTV camera shoved up their ass, to which it probably also recognizes. Privacy is a God given right, not a privilege folks and should be taken seriously. I don't think even true AI would be happy living there.

  11. why do executives have access to this type of data by modmans2ndcoming · · Score: 1

    This is why Executives are not kings. There are parts of the business that they should not have casual access to. That is not to say they do not have a right to review and inspect with appropriate parties involved in the process, but access to data and tools like this is not the same thing as keys to the front door.

  12. Re:why do executives have access to this type of d by Teun · · Score: 1

    Although his action to mail the certs was not smart, the initial problem was not the executive.
    The Initial problem was his company had kept copies of the private keys, an absolute no-no and when he(?) found out he wanted to communicate which keys were to be revoked.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  13. Part of the Clinton IT camp...Bahahaha!!! by Anonymous Coward · · Score: 0

    Ummmm, was he a Liberal Democrat.... Bahahhaha...

    1. Re:Part of the Clinton IT camp...Bahahaha!!! by Anonymous Coward · · Score: 0

      Clinton was center-right, numbnuts.

  14. BCC: forward to 3-letter agency by Anonymous Coward · · Score: 0

    There's only one reason why anyone would be sending private keys in an email. All your keys belong to us.

  15. Re:why do executives have access to this type of d by Anonymous Coward · · Score: 0

    I can't hold the CTO at fault, he wanted to have the certs revoked and had to prove something bad had happened. Their company shouldn't have been holding the private keys. The certs were already invalid.

  16. Received on 2018-03-01 by Anonymous Coward · · Score: 0

    Quoting from email:
    Dear Customer,

    Today many of our customers are experiencing lengthy delays when attempting to contact us via phone, e-mail and live chat. The reason for the delays was due to an unexpected e-mail that DigiCert sent to our customers containing some inaccurate information. We were not informed that the e-mail would be sent and was caught by surprise.

    I sincerely apologise to our customers and partners that have been affected.

    We didn't authorise DigiCert to contact our customers and we didn't approve the content of their e-mail. At no time had any private keys been compromised.

    We can't go into specific details right now - though we believe the orders placed via our Symantec account were at risk and were poorly managed. In good conscience we decided it wasn't ideal to have any active SSL Certificates on the Symantec systems, nor any that didn't meet our stringent security requirements. Our concerns also relate to the upcoming distrust of all Symantec SSL Certificate brands within Google Chrome - meaning that your SSL Certificate will fail to be trusted in Chrome.

    We implemented a system to ensure that all customers would receive a replacement SSL Certificate, though today it had failed to perform this function.

    In our view it is absolutely critical that an SSL Certificate performs its intended function. In accordance with CAB Forum guidelines we acted to immediately revoke active SSL Certificates whereby trust was questionable.

    We realize that this mass revocation is bothersome and time consuming for you. We're working to contact all customers to get orders replaced as priority and working through a backlog of enquiries. We've sent replacement coupon codes to all of our customers and we urge every customer to immediately replace any affected SSL Certificates.

    Unfortunately things didn't go very well for us today and we are extremely sorry for all the confusion and inconvenience that has been caused. We were relying on systems that would easily replace and issue your SSL Certificates automatically, though that didn't occur.

    We'll be following up again shortly with an update surrounding what occurred and more information about where we experienced failures. In the meantime, our staff are concentrating on getting your SSL Certificates issued as quickly as possible.

    Best regards,

    REDACTED
    Trustico Online Limited
    Customer Service Department

  17. Who sends their PKey over the net. SMH by Anonymous Coward · · Score: 0

    Honestly who would transmit their private key over the internet for signing. Are these lazy people.
    No public CA has the PKeys of my customers. People who do that are asking for trouble.