20,000 private web certificate keys exposed in business tiff

Share this…

It has always been written about website security certificates many times. This is because HTTPS certificates (TLS certificates) are one of the main parties in the security of online transactions. TLS is the abbreviation of Transport Layer Security. TLS used to be known as SSL or Secure Sockets Layer.

Web certificates put that lock icon in the address bar of your browser; information security training experts recommend that you keep it in mind if you are a visitor to the website, and that you provide if you are an operator of the website.


The “chain of trust” of TLS provided by digital certificates, greatly simplified, is something like this:

“I use a certificate to guarantee the fact that a website is really mine to own and operate it. I got a company called Certification Authority (CA) to answer for my certificate by signing it with their certificate. Your operating system or browser manufacturer responds by the CA when you add your certificate to a list of “main trust”.”

This form a chain of trust; your browser tells you that the CA is likely to tell the truth, the CA tells you that the website operator is likely to tell the truth, and the website operator tells you; “This site it’s really mine.”

Information security training professionals tell us that there are things that can go wrong here:

“A trusted CA could go dishonest, or be acquired by a more careless company, or sign certificates without doing the proper controls. Thieves could steal a vendor’s certificate and start sealing that vendor’s official seal on their own malicious websites. Crooks could steal your certificate and set up an impostor site that looks completely genuine.”

As a result, the TLS certificate system must be able not only to introduce new certificates and CAs into the mix, but also to be able to revoke individual certificates, as well as complete CAs. The CAs have lost the confidence of the community over the years, more recently, the data security firm Symantec.

Google has been chasing Symantec for almost a year, arguing that the community should “eliminate, the trust in Symantec’s infrastructure to maintain users’ security and privacy when surfing the web”.

According to Google information security training specialists, Symantec’s infrastructure for issuing certificates was simply not up to par, so Symantec should order and reissue all its certificates, revoking all the old and unreliable ones for the good of all.

In the end, Symantec sold its certificate business to Digicert, which would issue replacement certificates to its customers before the world’s browsers automatically distrusted existing Symantec certificates.

In the United Kingdom, this transition has not gone well, due to a dispute with one of its London resellers, a security business called Trustico.

Trustico decided it wanted to change its customers with Symantec certificates away from the new Digicert owners to compete with a more convenient CA. But, Digicert had sent an email to Trustico customers whose certifications needed to be replaced to advise them on the certificate exchange process.

Trustico then demanded that Digicert revoke the affected certificates directly, Digicert refused, since the unilateral revocation of individual certificates, in the absence of any general security problem, is a matter for the owners of the certificates. According to Digicert, Trustico e-mailed the private keys for more than 20,000 certificates.

“The private key is what makes the certificate yours and prevents other people from abusing it, so you should be the only person with a copy of your private key,” says an information security training researcher.

The TLS certificate system guidelines say that if it is known that the private key of a certificate has been exposed, that certificate must be revoked within 24 hours. Since the keys were sent via email via the Internet, Trustico got what it wanted.

This kind of public uproar does not speak well of the world of digital certificates. All sites are expected to be open through HTTPS these days. But a public dispute like this, where clients’ private keys have become business negotiation chips, does not favor anyone. Now, information security training professional say, it will be more difficult to convince people to convert their websites to HTTPS.