So, another week, and what seems like another major blow for web administrators around the globe as over 23,000 HTTPS private keys purchased through Trustico have been reported compromised.
Privacy. Over the last few years, this single word has been a big focus on the modern World Wide Web, with big forces such as Google pushing to make every website run over HTTPS. I’ve even covered the importance of HTTPS in previous articles. But as with any form of security, you’re only as strong as your weakest link. But what is the weakest link?
Whilst details are still emerging of what exactly happened. It is believed that Trustico discovered a vulnerability and requested DigiCert revoke 50,000 certificates. DigiCert was reluctant to do this without good reason. The CEO of Trustico responded by emailing an executive of DigiCert the 23,000 private keys, essentially classing all the keys as compromised.
But the question is, how did Trustico even have 23,000 keys to send in the first place? It turns out that they provide a service where customers can generate a certificate for their site directly from Trustico’s site. The vendor will deal with getting it signed and send the whole bundle back to the customer. Whilst this is very convenient for the customer, this model relies heavily on trust because they have to rely on the provider securely destroying the key after supplying the bundle. It turns out that Trustico was archiving keys in, what they called “cold storage”. Trustico’s reputation, already severely tarnished, was made even worse when it was revealed that there were some serious flaws in their website that allowed anyone to execute code directly on their servers.
In reality, no company should have your private keys. It’s right there in the name, a private key. Luckily, they don’t have to, as you can, and should, create your key locally.
What you can do
There are plenty of guides online, such as this one from DigialOcean, showing how to use OpenSSL to generate a key, and a Certificate Signing Request (CSR), and pass the CSR to the certificate vendor to be signed. That way, only you will ever have the key and you can sleep easy knowing that both your customers’ data and your reputation is safe.
After doing this a few times, it’ll start becoming second nature, and in my opinion, you should never ever trust a service that offers to generate a key for you.