6

Trustico CEO emailed private key which is used to sign TLS certificates, making more than 23k certificates compromised!

This makes me think, that we should not trust others for our security (like ca), failure of CA can put our website at risk. What is the better way to do it?

https://arstechnica.com/information...

Comments
  • 1
    Trustico is not a fucking CA!
    Digicert did everything that they was obligated to do,
  • 0
    @Linux Digiserve or Symmentic?

    And then why the fuck did they have private key? Or Digiserve is immbeciles?
  • 0
    @yendenikhil
    Digiserve? Symmentic?
  • 0
    @yendenikhil
    Digicert did NOT have the private keys. Trustico had.
  • 1
    @Linux typo, my auto-correct liked to play pranks on me!
  • 0
    @Linux Ok, now from computer.
    Browsers decide to stop trusting Symantec certificates, so Digicert bought their business as CA. Now Trustico sent the PK to Digicert and hence all certificates signed by this key became insecure!
  • 1
    @yendenikhil
    Trustico fucked up, Digicert did what they should do - rewoke the certs.
  • 0
    @Linux yup, trustico is messing up.
  • 2
    This is why you should generate your own CSR and private key (openssl/other GUI tools), and send ONLY the CSR to the CA for signing.
  • 0
    @dxdy agreed, but people (tech and non tech) want convenience over security, also if I remember correctly trustico wanted the private keys for certificate revocation, though why don't they use crl is what I don't understand!
  • 1
    @dxdy
    Yeah trustico is fucking stupid.
Add Comment