It turned out that the secret key of 23,000 or more SSL / TLS certificates was exchanged by e-mail, and all of them were revoked


bySuzy Hazelwood

SSL / TLS CertificateDigiCert, the leading certification authority, announced on February 28, 2018 that it has immediately revoked approximately 23,000 certificates. The reason for the revocation is that the CEO of the certificate distributor has sent the secret key of the certificate by e-mail.

DigiCert Statement on Trustico Certificate Revocation - DigiCert
https://www.digicert.com/blog/digicert-statement-trustico-certificate-revocation/


Internet has become popular in general households and necessary shopping can be done on the Internet. Meanwhile, security measures are needed because the number of credit cards necessary for shopping, personal information, and other data not wanted to be known to others is exchanged via the Internet.

Therefore, a mechanism for encrypting communicationSSL / TLSis. By encrypting communication by SSL / TLS, communication leakage can be prevented. However, even if the security of data communication improves, the problem remains as to whether the website itself to be connected can be trusted. Therefore, "SSL / TLS certificate" issued after the reliable "certification authority" reviews the site operator is important. By presenting this certificate, you know that the website is reliable.


In order to encrypt the communication and decrypt the encryption again, data called "key" is required. There are two kinds of SSL / TLS, "public key" for encrypting communication and "secret key" for decrypting encryption. Of course, if anyone knows the secret key, anyone can solve the encryption, so the secret key is managed only by the website owner who owns the certificate. This public key and secret key are issued with a certificate.

"Norton Internet SecuritySymantec, known for security software development such as "SSL / TLS certificate issued as a certification authority." However, in 2017 it became clear that Symantec issued large quantities of SSL / TLS certificates without conducting industry standard audits,The certificate issued by Symantec will not be trusted by Google ChromeI fell into the situation. After that, Symantec sold the PKI (Public Key Infrastructure) business related to certificate issuance to DigiCert.

byMartin McKeay

And in February 2018, it is a British SSL / TLS certificate dealerTrusticoRequested immediate revocation of Symantec · GeoTrust · Thawte · RapidSSL certificate to DigiCert. But since it was unknown why immediate invalidation is required, DigiCert asked Trustico and Trustico CEO revealed that Trustico still owns the secret key of the certificate it sold, I sent a secret key of 23,000 certificates to DigiCert by e-mail.

byLens Adventurer

Originally, since only the owner of the certificate manages the secret key, the certificate authority or dealer must issue the certificate to the operator of the website and destroy all the secret key at the same time. At the time the secret key was sent by e-mail, DigiCert is an industry standardCA / Browser Forum Baseline Requirements, We have to revoke all 23,000 SSL / TLS certificates.

DigiCert is caused by "Trustico sent the secret key by e-mail" about immediate revocation of this large amount of certificate this time, and a series of measures Chrome did for Symantec's SSL / TLS certificate It explains that it is irrelevant. In addition to the certificate authority, the management system and reliability of the certificate distributor are questioned as to how Trustico handled the secret key of the certificate integrally.

in Web Service,   Security, Posted by log1i_yk