Jump to content
M6

23,000 HTTPS certificates axed after CEO emails private keys

Recommended Posts

M6

A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates.

[Continua...]

In ArsTecnhica, 01 de Março de 2018


10 REM Generation 48K!
20 INPUT "URL:", A$
30 IF A$(1 TO 4) = "HTTP" THEN PRINT "400 Bad Request": GOTO 50
40 PRINT "404 Not Found"
50 PRINT "./M6 @ Portugal a Programar."

 

Share this post


Link to post
Share on other sites
Rui Carlos
Citação

[...]

In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems.

"Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."

[...]

Esta parte é particularmente preocupante...  Primeiro por haver serviços de emissão de certificados que têm acesso às chaves privadas dos clientes.  E pior, por haver tanta gente a usar esse serviço!  Parece-me incompetência a mais da parte dos administradores de sistemas (ou quem quer que seja que tenha feito a gestão dos certificados).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

By using this site you accept our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.