The CEO of Trustico, a TLS certificate reseller based in the United Kingdom, finds himself at the center of a controversy that raises a number of disturbing questions about browser-trusted security certificates.
The email in question was sent to Jeremy Rowley, an executive Vice President at DigiCert. The catalyst that prompted the fateful email was that officials at Trustico notified DigiCert that 50,000 certificates originally issued by Symantec and resold by Trustico had been compromised and should be mass revoked due to security concerns.
Mr. Rowley, not wanting to take such drastic action without proof, asked for it. In response, Trustico’s CEO emailed the private keys of 23,000 certificates, an action which drew shocked reactions from security professionals around the world when news of the email became public.
If you’re not familiar with the inner workings of browser-trusted certificates, there are a few problems here. First, there’s no good reason why a reseller should have a copy of the private keys to begin with. Second, even if that were the norm, to simply email them to a third party shows incredibly poor judgement, especially given that there’s no evidence the email in question was encrypted. Third, customers used Trustico’s website to generate their private keys, which is a service that should never even have been offered.
To make matters even worse, not long after news of the email hit the internet, Trustico’s website went dark, when a security expert posted details about a critical vulnerability on the company’s website. The flaw resides in a site feature that allows customers to confirm that certificates are properly installed. Unfortunately, Trustico’s website had been compromised and any time a user would use the feature, the hackers could use the opportunity to run malicious code. It’s a tangled web, and it paints everyone involved in a very bad light.