On Thursday, March 1, 2018 at 11:08:58 AM UTC-5, RSTS wrote:
> On Thursday, March 1, 2018 at 1:51:16 PM UTC, Michel Gre wrote:
> > > I'd postulate there's
> > > nothing wrong with Trustico holding the private keys if they were hosting
> > > the site or providing CDN services for all of these sites.
> >
> > I manage one of the affected domains. I can tell that in no way does
> > Trustico hosts the site, nor provide us any CDN service.
> >
> > We just purchased them a certificate 4 years ago and renewed it for 3 years
> > in april 2015. Since we are usually quite busy we simply used their form to
> > generate the key, the CSR, and get the certificate... So, Trustico should
> > be actually Dontrustico. The worst is that the CEO himself publicly said
> > (here!) that they HELD OUR PRIVATE KEYS!!! Come on. M. Zane Lucas, your
> > staff sent me (after I asked them from an explanation regarding the
> > Digicert's first email) a coupon for a "Trustico(r) Single Site"
> > certificate, would you expect me to trust it after what YOU disclosed here?
> > Looks like you just cut the branch your company was sitting on.
>
> In relevant news, Trustico's site is down due to an apparent flaw, apparently
> allowing users to run commands as root on their production webserver.
>
> My question is, assuming this was discovered previously by an attacker, is
> there possibility of exploiting that to fetch these cold-storage keys?
>
> https://twitter.com/Manawyrm/status/969230542578348033 in reply to
> https://twitter.com/svblxyz/status/969220402768736258
Given that they were able to readily produce all of these keys, I would suspect
they were never really in cold storage. At least not exclusively.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy