By this point, one would imagine that reputational risks would prevent any CA from working with Trustico.
On Thu, Mar 1, 2018 at 11:56 AM, Hector Martin 'marcan' via dev-security-policy <[email protected]> wrote: > On 2018-03-02 00:28, Hanno Böck via dev-security-policy wrote: > > Hi, > > > > On twitter there are currently some people poking Trustico's web > > interface and found trivial script injections: > > https://twitter.com/svblxyz/status/969220402768736258 > > > > Which seem to run as root: > > https://twitter.com/cujanovic/status/969229397508153350 > > > > I haven't tried to reproduce it, but it sounds legit. > > Unsurprisingly, the entire server is now down. If Trustico are lucky, > someone just `rm -rf /`ed the whole thing. If they aren't, they now have > a bunch of persistent backdoors in their network. > > Now the interesting question is whether this vector could've been used > to recover any/all archived private keys. > > As I understand it, Trustico is in the process of terminating their > relationship with Digicert and switching to Comodo for issuance. I have > a question for Digicert, Comodo, and other CAs: do you do any vetting of > resellers for best practices? While clearly most of the security burden > rests with the CA, this example shows that resellers with poor security > practices (archiving subscriber public keys, e-mailing them to trigger > revocation, trivial command injection vulnerabilities, running a PHP > frontend directly as root) can have a significant impact on the security > of the WebPKI for a large number of certificate holders. Are there any > concerns that the reputability of a CA might be impacted if they > willingly choose to partner with resellers which have demonstrated such > problems? > > -- > Hector Martin "marcan" ([email protected]) > Public Key: https://mrcn.st/pub > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
