23,000 HTTPS Certificates Pulled After CEO Sends Private Keys in an Email
The security of tens of thousands of websites is in question after the CEO of a company that sells HTTPS certificates included the private keys for 23,000 customers in an email—an apparent attempt to force a revocation of the customers’ certificates.
HTTPS certificates form the foundation of the encrypted web. Issued to website operators by trusted certificate authorities, certificates are necessary to form an encrypted connection between your browser and the website you’re visiting—and that encrypted connection protects sensitive data you might share with the website, like a password or credit card details. Each certificate has a public key, which it sends to your browser to initiate an encrypted connection, and a private key, which needs to stay private.
It’s a delicate ecosystem, and private keys are generally only supposed to be accessible to the site owner—which is why it’s absolutely bizarre for the CEO of a company that sells certificates to not only have access to customers’ private keys, but to email them around willy-nilly. It’s as if someone at the DMV somehow got access to 23,000 people’s Social Security numbers and decided to email them to one of their drinking buddies.
The rogue emailer in this case is the CEO of Trustico, a vendor that re-sells certificates issued by two authorities, Comodo and Symantec. The private keys were emailed to Jeremy Rowley, an executive vice president at the certificate authority DigiCert. DigiCert recently acquired Symantec’s certificate business after Symantec was found to be violating industry standards and Chrome announced that it would distrust Symantec’s certificates.
Source | gizmodo