The website for Trustico went offline on Thursday morning, about 24 hours after it was revealed the CEO of the UK-based HTTPS certificate reseller emailed 23,000 private keys to a partner.
The website closure came shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers. The vulnerability, in a trustico.com website feature that allowed customers to confirm certificates were properly installed on their sites, appeared to run as root. By inserting commands into the validation form, attackers could call code of their choice and get it to run on Trustico servers with unfettered “root” privileges, the tweet indicated.
“If this is the case it’s about as bad as it gets,” security researcher Scott Helme told Ars.
Trustico representatives didn’t immediately respond to an email seeking comment for this post.
The website security expert who posted the vulnerability said in a follow-up tweet that the critical flaw had been published earlier. He didn’t say where or when, and he didn’t respond to messages that asked for those details. His Twitter profile identified him as the local chapter leader for the Open Web Application Security Project in Serbia.
Critics wasted no time on Wednesday pouncing on Trustico following word it had been archiving certificate private keys, a practice that generally violates industry-binding Baseline Requirements set by the Certificate Authority Browser Forum. The mass fury was magnified by the fact the keys were available to the company’s CEO, rather than being stored on isolated machines, and that the CEO sent them in an email.
Eric Mill, an expert in public key infrastructure, said he was torn about whether posting the vulnerability to Twitter was justified.
“Just because you’re piling on a company that’s doing irresponsible stuff doesn’t make it OK to do a public disclosure,” he told Ars. At the same time, he noted, some Trustico officials have publicly claimed the mounting criticism against them is defamatory and have used other language to indicate they may take legal action against critics. Those types of behavior often have a chilling effect on more responsible forms of vulnerability disclosure. Ultimately, Mill said, “there are arguments on both sides.”