On Thursday, March 1, 2018 at 1:51:16 PM UTC, Michel Gre wrote: > > I'd postulate there's > > nothing wrong with Trustico holding the private keys if they were hosting > > the site or providing CDN services for all of these sites. > > I manage one of the affected domains. I can tell that in no way does Trustico > hosts the site, nor provide us any CDN service. > > We just purchased them a certificate 4 years ago and renewed it for 3 years > in april 2015. Since we are usually quite busy we simply used their form to > generate the key, the CSR, and get the certificate... So, Trustico should be > actually Dontrustico. The worst is that the CEO himself publicly said (here!) > that they HELD OUR PRIVATE KEYS!!! Come on. M. Zane Lucas, your staff sent me > (after I asked them from an explanation regarding the Digicert's first email) > a coupon for a "Trustico(r) Single Site" certificate, would you expect me to > trust it after what YOU disclosed here? Looks like you just cut the branch > your company was sitting on.
In relevant news, Trustico's site is down due to an apparent flaw, apparently allowing users to run commands as root on their production webserver. My question is, assuming this was discovered previously by an attacker, is there possibility of exploiting that to fetch these cold-storage keys? https://twitter.com/Manawyrm/status/969230542578348033 in reply to https://twitter.com/svblxyz/status/969220402768736258 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
