Security

HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

Add remote-code execution hole to mass-revocation drama

By Iain Thomson in San Francisco

24 SHARE

The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in Trustico.com was revealed on Twitter.

The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A lack of input sanitization allowed carefully crafted commands, submitted as a URL in a web form, to be run on the underlying Linux-powered system, as root no less, meaning anyone who found and exploited the bug could take over the dot-com's web servers.

On Wednesday, UK-based Trustico hit the headlines after its CEO emailed the private keys to 23,000 Trustico-sold, Symantec-branded SSL/TLS certs to certificate authority DigiCert, forcing the latter to revoke the certs as per the industry's security standards. DigiCert owns and operates the Symantec umbrella of HTTPS certificate issuers.

Trustico stopped selling Symantec-branded certificates in mid-February, and will in future resell Comodo's HTTPS certs, ahead of Google Chrome and Mozilla Firefox automatically rejecting Symantec-branded SSL/TLS certificates later this year. Trustico appears to have wanted to move its customers onto Comodo-issued certificates, and one way of doing this was to demand DigiCert revoke 50,000-odd Symantec-branded certificates sold via Trustico.

DigiCert will now cancel the 23,000 certs linked to the emailed private keys. What's happening with the other 27,000 isn't clear amid all this messy drama. Trustico said it recovered the "private keys from cold storage," having kept them for revocation purposes. Generally speaking, the only people who ought to retain a HTTPS certificate's private key is the holder and owner of the certificate, and not usually a reseller or other intermediary.

Trustico's staff have insisted the Brit biz has done nothing wrong: it just wanted the certs revoked. DigiCert was not impressed.

Now the website goes down

On Thursday morning, Serbian security researcher Predrag Cujanović tweeted details of a critical flaw in Trustico's website. The site was pulled offline – it just returns a 503 error – a move that also took out the website of SSL Direct, which uses Trustico as its "technology and solution provider." SSLDirect.com was sharing Trustico.com's server, it appears.

"This vulnerability was public already (that's how I found it), I only pointed out how bad it is (a web service running as root user)," Cujanović later explained. "There was no protection in place and I didn't read any sensitive information."

Perhaps someone ran rm -rf --no-preserve-root / on the box. No, don't try that at home. Or work.

At time of going to publication, Trustico's website was still down, and there was no official word on the cause from the company, which has been silent on social media and has not returned our requests for comment. ®

Updated to add

Trustico director Zane Lucas has been in touch to say the website's server was not connected to systems holding customer information, and the vulnerable web app was a tool for inspecting websites' certificates rather than a service involving customer data. The site was taken down while the biz investigates, we're told.

"We can’t go into the specifics, but what I can say to you is that we shut down the development tools and the web server they were running on temporarily to investigate the tool in question," Lucas told us.

"We haven’t found any evidence of a breach, though we disabled the tools pending a full investigation.

"It should be noted that the server that the tools are running on are not connected with any databases or services that contain customer data. The tools in question are development tools that customers can use to learn the intricacies of an SSL certificate, as indicated on the page – they are not designed for production use."

Bootnote

TITSUP, abbr.: Total Inability To Sell Usual Products

Sign up to our NewsletterGet IT in your inbox daily

24 Comments

More from The Register

Let's Encrypt updates certificate automation, adds splats

ACME v2 and Wildcard Certificates now live

Beware the looming Google Chrome HTTPS certificate apocalypse!

Well, melee. Dust-up? Minor inconvenience? But it's coming!!

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Google punts WoSign, StartCom from good guy certificate club

Joins Mozilla, Apple in ban on less-than-optimally-rigorous certifiers

Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

Kaspersky fixing serious certificate slip

Updated Security smashed for 400 MEEELLION users

Microsoft Trusted Root Certificate program getting a lot less trusting

Redmond goes 'yoink!' on twenty CAs

UK digital minister Matt Hancock praises 'crucial role' of encryption

Rudd's message to Hancock must've been intercepted...

Superfish 2.0 worsens: Dell's dodgy security certificate is an unkillable zombie

Updated And now here's how you can really destroy it

'No questions asked' Windows code cert slingers 'fuel trade' in digitally signed malware

Oh it's for a calculator app? OK, wink wink, say no more