On Thursday, March 1, 2018 at 12:59:17 PM UTC-5, Matthew Hardeman wrote: > By this point, one would imagine that reputational risks would prevent any > CA from working with Trustico. > > On Thu, Mar 1, 2018 at 11:56 AM, Hector Martin 'marcan' via > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > > On 2018-03-02 00:28, Hanno Böck via dev-security-policy wrote: > > > Hi, > > > > > > On twitter there are currently some people poking Trustico's web > > > interface and found trivial script injections: > > > https://twitter.com/svblxyz/status/969220402768736258 > > > > > > Which seem to run as root: > > > https://twitter.com/cujanovic/status/969229397508153350 > > > > > > I haven't tried to reproduce it, but it sounds legit. > > > > Unsurprisingly, the entire server is now down. If Trustico are lucky, > > someone just `rm -rf /`ed the whole thing. If they aren't, they now have > > a bunch of persistent backdoors in their network. > > > > Now the interesting question is whether this vector could've been used > > to recover any/all archived private keys. > > > > As I understand it, Trustico is in the process of terminating their > > relationship with Digicert and switching to Comodo for issuance. I have > > a question for Digicert, Comodo, and other CAs: do you do any vetting of > > resellers for best practices? While clearly most of the security burden > > rests with the CA, this example shows that resellers with poor security > > practices (archiving subscriber public keys, e-mailing them to trigger > > revocation, trivial command injection vulnerabilities, running a PHP > > frontend directly as root) can have a significant impact on the security > > of the WebPKI for a large number of certificate holders. Are there any > > concerns that the reputability of a CA might be impacted if they > > willingly choose to partner with resellers which have demonstrated such > > problems? > > > > -- > > Hector Martin "marcan" (x...@x.st) > > Public Key: https://mrcn.st/pub > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > >
I posted about this issue in the other thread on Trustico's debacle after seeing the twitter explosion over here: https://groups.google.com/d/msg/mozilla.dev.security.policy/wxX4Yv0E3Mk/q6P8oE3pAQAJ Agreeing with Hector, I think that would be reasonable grounds to assume compromise. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy