On Thursday, March 1, 2018 at 11:08:58 AM UTC-5, RSTS wrote: > On Thursday, March 1, 2018 at 1:51:16 PM UTC, Michel Gre wrote: > > > I'd postulate there's > > > nothing wrong with Trustico holding the private keys if they were hosting > > > the site or providing CDN services for all of these sites. > > > > I manage one of the affected domains. I can tell that in no way does > > Trustico hosts the site, nor provide us any CDN service. > > > > We just purchased them a certificate 4 years ago and renewed it for 3 years > > in april 2015. Since we are usually quite busy we simply used their form to > > generate the key, the CSR, and get the certificate... So, Trustico should > > be actually Dontrustico. The worst is that the CEO himself publicly said > > (here!) that they HELD OUR PRIVATE KEYS!!! Come on. M. Zane Lucas, your > > staff sent me (after I asked them from an explanation regarding the > > Digicert's first email) a coupon for a "Trustico(r) Single Site" > > certificate, would you expect me to trust it after what YOU disclosed here? > > Looks like you just cut the branch your company was sitting on. > > In relevant news, Trustico's site is down due to an apparent flaw, apparently > allowing users to run commands as root on their production webserver. > > My question is, assuming this was discovered previously by an attacker, is > there possibility of exploiting that to fetch these cold-storage keys? > > https://twitter.com/Manawyrm/status/969230542578348033 in reply to > https://twitter.com/svblxyz/status/969220402768736258
Given that they were able to readily produce all of these keys, I would suspect they were never really in cold storage. At least not exclusively. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
