Trustico and DigiCert Spat Leads to 23,000 SSL Certificates Revoked Overnight - Bitsonline

Trustico and DigiCert Spat Leads to 23,000 SSL Certificates Revoked Overnight

The security certificates space is experiencing an unusual and outlandish predicament, after Trustico CEO emailed the private keys for 23,000 of his own customers to certificate authority Digicert — compromising and forcing them to revoke the certificates under security standards regulations. The move resulted in 23,000 website operators without HTTPS certificates.

Also see: Coinbase Faces Class Action Suit Over Unclaimed Bitcoins Sent via Email

Subscribe to the Bitsonline YouTube channel for more great interviews featuring industry insiders & experts

The conflict between U.K.-based HTTPS certificate reseller Trustico and Digicert has now become so bad that legal threats have become part of the spat. While the two companies quarrel, the main people suffering are certificate owners.

The Story of the Conflict Between Trustico and DigiCert

According to Ars Technica, The problem began recently when web browsers Google Chrome and Mozilla Firefox started rejecting Symantec-branded SSL/TLS certificates. Soon after that, the HTTPS certificate reseller discontinued providing Symantec-branded certificates and started selling Comodo’s HTTPS certificates instead.

digicert certificates logoHowever, Trustico wanted to also switch old customers Symantec SSL certs with Comodo’s HTTPS certs. To do so, Trustico demanded DigiCert to revoke 50,000 Symantec certs that Trustico sold. However, DigiCert refused to fulfill the demand and pointed that mass revocation is not possible.

According to DigiCert, industry regulations are unclear on whether a certificate reseller can revoke the SSL certs on behalf of its customers, or if only the end customer has the right to do it.

At that point, the Trustico CEO sent an email to DigiCert which consisted of 23,000 compromised private keys of certificates — thus leaving the certificate authority with only the single option of revoking all the certificates.

Jeremy Rowley, Digicert vice president, said:

“At my request for proof of compromise, we received a file with 23k private keys matched to specific Trustico customers. This definitely triggered our 24-hour revocation processing requirement under 4.9.1.1.3. Once we received the keys, we confirmed that these were indeed the matching private keys for the reported certificates. We will be revoking these certificates today (February 28th, 2018).”

Is Trustico at Fault?

During the revocation process, DigiCert emailed all 23,000 certificate owners, who are customers of Trustico, remarking that “revocation will lead to the immediate termination of your certificate’s functionality.”

Certificate owners were confused as to why they received the email from DigiCert instead of their certificate reseller Trustico. The fate of the remaining 27,000 certificate Symantec-branded SSL certs from the 50,000 is unknown.

One confused certificate owner took it to Twitter, and wrote, “@digicert can you please explain the email I received from rapidssl/DigiCert blaming @MrTrustico for the revocation of my certs in 24hrs due to them reporting a compromise of the private keys? Where’s the proof of the report/breach? Why are you emailing me instead of trustico?”

Trustico certificates sellerDigiCert, in a press release, pointed out that Trustico retained private keys of the certificates. The press release read: “Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys.”

The spat between Trustico and DigiCert is unusual, and is now one of the worst disputes between companies in the certificate issuing industry. Moreover, certificate owners have incurred the maximum loss as their websites were automatically deemed insecure immediately after revocation. The dispute is likely to harm the images and business of both entities.

What is the fate of the remaining 27,000 Symantec-branded SSL certificate holders? Let us know your views in the comments section.


Images via 

Related News