The HTTPS Apocalypse is upon is, and at least a month early. I was going to post this in the Lunduke thread, but then I thought maybe it’s worth its own thread. Though to reference the Lunduke thread, it’s hard for me to argue that HTTPS isn’t broken when shit like this happens.
But honestly, when we listen to the actual security experts, this is one of the things they’ve been talking about. With certs, you can (and often do) go through an authorized signing authority. The trick is knowing how much faith you should put into a secondary (or sometimes tertiary, or worse, bob help you) authority?
Also in case you’re not aware what I mean by a month early…
Another 30,000 certificates are set to not be trusted by Chrome in April. Firefox is looking at not trusting those certificates later this month.
I’m not sure this particular issue was expected to happen. A certificate reseller offers a web based private key generator, and stores clients’ private keys (presumably from the web generator) on their servers, and emails those keys in order to prove that they’ve been compromised. JFC. There’s so much to unpack in this story.
HTTPS isn’t compromised, these certificates used to sign the encryption certificates are compromised. So a subset of certificates used for enabling TLS signed by that particular organisation are no longer trust worthy.
TLS and HTTPS them selves are not compromised just to make the distinction, which I think is worth making.
Agreed with the comments though, this is about having a trustworthy signing authority, not much else. You can do your due diligence when picking one so that this doesn’t happen. with your certificates.
So along side archiving private keys, their clearly outdated website also held a flaw that allowed for root access to their web server at the very least.
By inserting commands into the validation form, attackers could call code of their choice and get it to run on Trustico servers with unfettered "root" privileges...
This is actually a hilarious story. Trustico thought the Symantec revocation meant all their keys needed to be revoked, so they emailed the private keys to digicert. Since exposing a private key in that way means it’s compromised now, they had no choice but to revoke them. Comedy of errors, severe incompetence.
Tavis Ormandy’s twitter is full of it, great stuff. He’s one of the most communicative Google Project Zero guys, and if you’re into infosec his account is well-worth a follow.
There is a fundamental flaw in trusting humans, not HTTPS. The site was compromised by the human that set it up.
My door is perfectly secure. The fact that my wife dropped her keys in the grocery store parking lot doesn’t reduce the theoretical security of the door, it reduces the effective security.