On 2018-03-02 00:28, Hanno Böck via dev-security-policy wrote: > Hi, > > On twitter there are currently some people poking Trustico's web > interface and found trivial script injections: > https://twitter.com/svblxyz/status/969220402768736258 > > Which seem to run as root: > https://twitter.com/cujanovic/status/969229397508153350 > > I haven't tried to reproduce it, but it sounds legit.
Unsurprisingly, the entire server is now down. If Trustico are lucky, someone just `rm -rf /`ed the whole thing. If they aren't, they now have a bunch of persistent backdoors in their network. Now the interesting question is whether this vector could've been used to recover any/all archived private keys. As I understand it, Trustico is in the process of terminating their relationship with Digicert and switching to Comodo for issuance. I have a question for Digicert, Comodo, and other CAs: do you do any vetting of resellers for best practices? While clearly most of the security burden rests with the CA, this example shows that resellers with poor security practices (archiving subscriber public keys, e-mailing them to trigger revocation, trivial command injection vulnerabilities, running a PHP frontend directly as root) can have a significant impact on the security of the WebPKI for a large number of certificate holders. Are there any concerns that the reputability of a CA might be impacted if they willingly choose to partner with resellers which have demonstrated such problems? -- Hector Martin "marcan" ([email protected]) Public Key: https://mrcn.st/pub _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
