HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

Add remote-code execution hole to mass-revocation drama

By Iain Thomson in San Francisco

Posted in Security, 1st March 2018 22:34 GMT

The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in was revealed on Twitter.

The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A lack of input sanitization allowed carefully crafted commands, submitted as a URL in a web form, to be run on the underlying Linux-powered system, as root no less, meaning anyone who found and exploited the bug could take over the dot-com's web servers.

On Wednesday, UK-based Trustico hit the headlines after its CEO emailed the private keys to 23,000 Trustico-sold, Symantec-branded SSL/TLS certs to certificate authority DigiCert, forcing the latter to revoke the certs as per the industry's security standards. DigiCert owns and operates the Symantec umbrella of HTTPS certificate issuers.

Trustico stopped selling Symantec-branded certificates in mid-February, and will in future resell Comodo's HTTPS certs, ahead of Google Chrome and Mozilla Firefox automatically rejecting Symantec-branded SSL/TLS certificates later this year. Trustico appears to have wanted to move its customers onto Comodo-issued certificates, and one way of doing this was to demand DigiCert revoke 50,000-odd Symantec-branded certificates sold via Trustico.

DigiCert will now cancel the 23,000 certs linked to the emailed private keys. What's happening with the other 27,000 isn't clear amid all this messy drama. Trustico said it recovered the "private keys from cold storage," having kept them for revocation purposes. Generally speaking, the only people who ought to retain a HTTPS certificate's private key is the holder and owner of the certificate, and not usually a reseller or other intermediary.

Trustico's staff have insisted the Brit biz has done nothing wrong: it just wanted the certs revoked. DigiCert was not impressed.

Now the website goes down

On Thursday morning, Serbian security researcher Predrag Cujanović tweeted details of a critical flaw in Trustico's website. The site was pulled offline – it just returns a 503 error – a move that also took out the website of SSL Direct, which uses Trustico as its "technology and solution provider." was sharing's server, it appears.

"This vulnerability was public already (that's how I found it), I only pointed out how bad it is (a web service running as root user)," Cujanović later explained. "There was no protection in place and I didn't read any sensitive information."

Perhaps someone ran rm -rf --no-preserve-root / on the box. No, don't try that at home. Or work.

At time of going to publication, Trustico's website was still down, and there was no official word on the cause from the company, which has been silent on social media and has not returned our requests for comment. ®

Updated to add

Trustico director Zane Lucas has been in touch to say the website's server was not connected to systems holding customer information, and the vulnerable web app was a tool for inspecting websites' certificates rather than a service involving customer data. The site was taken down while the biz investigates, we're told.

"We can’t go into the specifics, but what I can say to you is that we shut down the development tools and the web server they were running on temporarily to investigate the tool in question," Lucas told us.

"We haven’t found any evidence of a breach, though we disabled the tools pending a full investigation.

"It should be noted that the server that the tools are running on are not connected with any databases or services that contain customer data. The tools in question are development tools that customers can use to learn the intricacies of an SSL certificate, as indicated on the page – they are not designed for production use."


TITSUP, abbr.: Total Inability To Sell Usual Products

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

Microsoft Trusted Root Certificate program getting a lot less trusting

Redmond goes 'yoink!' on twenty CAs

UK digital minister Matt Hancock praises 'crucial role' of encryption

Rudd's message to Hancock must've been intercepted...

Cisco backs test to help classical crypto outlive quantum computers

Borg helps Isara's post-quantum PKI cert test in the hope it future-proofs TLS

Symantec cert holdout sites told: Those Google Chrome warnings are not a good look

Users will stop trusting you, warns researcher

Microsoft bins unloved Chinese cert shops

WoSign and StartCom banished from Windows 10

Chrome 66: Get into the bin, auto-playing vids and Symantec certs!

Lucky 66 lands, complete with Spectre mitigations

GCHQ's infosec crew plans to 'scale up' Web Check to improve site security

That's the National Cyber Security Centre when it's at home

Crooks, think your Trojan looks legit? This one has a DIGITAL CERTIFICATE

Updated CA defends issuing digital seal to Brazilian swindlers