23,000 HTTPS certificates in Trustico-DigiCert Spat were revoked due to compromise
Trustico, the HTTPS certification sales company, warned that the company’s 23,000 digital certificates will expire in 24 hours. The reason is that the leakage of the private key of these certificates can create a security risk. Often these digital certificates are kept confidential, and once they fall into the hands of criminals, they can turn some illegal websites into legal websites. If you do not obsolete those leaked digital certificates, denial of service occurs when users visit sites that have a digital certificate issued by Trustico.
Trustico, a UK-based digital certificate company that sells SSL / TLS digital certificates for content encryption on websites, buys digital certificates from DigiCert’s managed Symantec, GeoTrust, Thawte, RapidSSL. If you want to purchase a digital certificate issued by RapidSSL, you will need to purchase it from Trustico. All digital certificates are issued by the DigiCert root certificate authority. When users visit a website with these digital certificates, a green lock icon appears on the browser indicating that the website is a trusted website.
And in February of this year, Trustico told DigiCert that the digital certificates it sold were black and need to be abolished immediately. On Tuesday, Trustico listed the e-mail sent to DigiCert, listing the private key of 23,000 certificates that needed to be abolished immediately. Under the rules, DigiCert needed to revoke the private key of these digital certificates within 24 hours, however, Trustico did not provide any more reasons why these digital certificates need to be abolished.
In order to remind users of the upcoming massive digital certificate was abolished, RapidSSL also sent an email reminder to the user, to guide the user to download a new digital certificate:
@digicert can you please explain the email I received from rapidssl/digicert blaming @MrTrustico for the revocation of my certs in 24hrs due to them reporting a compromise of the private keys? Where’s the proof of the report/breach? Why are you emailing me instead of trustico? pic.twitter.com/T6mBf1jbTO
— Mark (@mpag) February 28, 2018
After all, the whole thing was because of a conflict between Trustico and DigiCert that led to the expiration of a large number of digital certificates. As a Trustico company, wanting to abandon the digital certificates issued by Symantec will use Comodo’s digital certificates in the future, so would like to take this opportunity to move users to Comodo digital certificates, but do not want to show their true intentions, to perform Such a play, trying to divert the user’s attention. Just hours before the user’s mail was sent, Trustico said it would provide a certificate replacement service for free. DigiCert is also trying its best to retain users and provide Symantec’s certificate replacement update service for free.
Source: bleepingcomputer
