HTTPS Apocalypse upon us as 23,000 certs to be revoked

The HTTPS Apocalypse is upon is, and at least a month early. I was going to post this in the Lunduke thread, but then I thought maybe it’s worth its own thread. Though to reference the Lunduke thread, it’s hard for me to argue that HTTPS isn’t broken when shit like this happens.

But honestly, when we listen to the actual security experts, this is one of the things they’ve been talking about. With certs, you can (and often do) go through an authorized signing authority. The trick is knowing how much faith you should put into a secondary (or sometimes tertiary, or worse, bob help you) authority?

Also in case you’re not aware what I mean by a month early…

Another 30,000 certificates are set to not be trusted by Chrome in April. Firefox is looking at not trusting those certificates later this month.

3 Likes

OH NO !! LUNDUKE WAS RIGHT !!!

jk jk

Well it happens … it is expected to happen anyways.

Edit- quick edit you know you posted in blog right ? Most news seems to go to community.

1 Like

I lol’d. :slight_smile:

I’m not sure this particular issue was expected to happen. A certificate reseller offers a web based private key generator, and stores clients’ private keys (presumably from the web generator) on their servers, and emails those keys in order to prove that they’ve been compromised. JFC. There’s so much to unpack in this story.

Well it was expected that if there’s a way to compromise in HTTPS is gonna be by a leak/dishonesty from a cert seller.

2 Likes

HTTPS isn’t compromised, these certificates used to sign the encryption certificates are compromised. So a subset of certificates used for enabling TLS signed by that particular organisation are no longer trust worthy.

TLS and HTTPS them selves are not compromised :smiley: just to make the distinction, which I think is worth making.

Agreed with the comments though, this is about having a trustworthy signing authority, not much else. You can do your due diligence when picking one so that this doesn’t happen. with your certificates.

6 Likes

This is not about https being compromised, but about people being stupid/making mistakes (however you want to interpret it).

Lunduke is still wrong and ignorant about how https works.

2 Likes

Yeah meant to say the same just lazy to write after a long day.

2 Likes

People mentioned lunduke, thats only why i posted as i did, as he had (deliberaltly) not made the distinction with his https video.

2 Likes

The plot thickens!

So along side archiving private keys, their clearly outdated website also held a flaw that allowed for root access to their web server at the very least.

By inserting commands into the validation form, attackers could call code of their choice and get it to run on Trustico servers with unfettered "root" privileges...

Fscking classic.

This is actually a hilarious story. Trustico thought the Symantec revocation meant all their keys needed to be revoked, so they emailed the private keys to digicert. Since exposing a private key in that way means it’s compromised now, they had no choice but to revoke them. Comedy of errors, severe incompetence.

Tavis Ormandy’s twitter is full of it, great stuff. He’s one of the most communicative Google Project Zero guys, and if you’re into infosec his account is well-worth a follow.

https://twitter.com/taviso

2 Likes

Made me remember 13yo nuistance trick, edit the account register form and submit it like that

image

And of course we all know Bobby Tables!

There is a fundamental flaw in trusting humans, not HTTPS. The site was compromised by the human that set it up.

My door is perfectly secure. The fact that my wife dropped her keys in the grocery store parking lot doesn’t reduce the theoretical security of the door, it reduces the effective security.

EDIT: words, reordered were they.