23,000 HTTPS certificates axed after CEO emails private keys

Found on ArsTechnica on Friday, 02 March 2018

The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec.

A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren't followed. (There's no indication the email was encrypted, either, although neither Trustico nor DigiCert provided that detail when responding to questions.)

Why on earth would Trustico have the private keys of the certificates they signed? A private key should never go out, as it is not required to get a certification request signed. That just undermines the entire security part of using such an encryption.

Browse all articles« Previous « » Next »