back to article HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in Trustico.com was revealed on Twitter. The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A …

  1. Tom Paine

    Beautiful

    I love it when idiots and charlatans get caught out. Sympathies to customers who got stitched up by these clowns. We're living in the equivalent of the early 30s for air travel. They've made stuff "work" for values of work limited to "it took off, flew around for a while and landed", and then next thing you know it's in production carrying 25 passengers to Paris as a scheduled service five times daily. They mostly don't crash, usually...

    1. Kabukiwookie

      Re: Beautiful

      If you think that hiring a professional is expensive, wait until you hire an amateur.

    2. Anonymous Coward
      Anonymous Coward

      They mostly don't crash, usually...

      So perhaps we should start pricing these Security Offerings like Credit Default Swaps - factoring in the probability that they deliver and get to their intended destination ?

  2. Anonymous Coward
    Anonymous Coward

    "A lack of input sanitization allowed carefully crafted commands, submitted as a URL in a web form, to be run on the underlying Linux-powered system, as root no less, "

    Whoever is responsible for that website needs to be fired and never allowed to use a computer again.

    This is the oldest attack in the book. It has been around more or less since websites were invented.

    Incompetance and malpractice doesn't even begin to describe it.

    1. nagyeger

      the oldest bad practice in the book.

      I <it>have seen</it>, in a book my son was lent by his school teacher, about a year ago, exactly this sort of code. Take variable from $_GET, build string by concatenation, pass to SQL. No input checking at all.

      Someone - big name publisher - made money selling that book. Someone wants to make money selling the revised version, which I'd hope talks in detail about sanity checking and prepared statements.

      Someone ought to be offering a permanent recall on the early version of the book and free-replacement including shipping to anyone with a copy, because it was plainly never fit for sale. Instead, copies are still being lent to school kids by teachers because the school budget can't afford to restock the library.

      Ob disclaimer: I have no connection with anyone in the above certificate fiasco. And I expect that no one bothered fixing it because that would take time. WHY do CAs who ask for your private keys still get any custom?

      1. Brandfire

        Re: the oldest bad practice in the book.

        I've met a load of developers this year that are working on various venture capital funded [financial / personal / sensitive / insert GDPR nightmare here] data processing apps - none are developers but "people with development experience who bring other skills to the table".

        They are often busy enough trying to learn whichever RAD framework happens to be [used by Facebook / used by Snapchat / the most fashionable / used by the venture capitalist's 15 year old son].

        I have yet to meet a developer this year who has even heard of OWASP.

      2. Anonymous Coward
        Anonymous Coward

        Re: the oldest bad practice in the book.

        > WHY do CAs who ask for your private keys still get any custom?

        Which CAs ask for your private keys, if I may ask?

        If you are referring to asking for someone else's private keys as proof of compromise, as oppose to merely asking proof of possession of someone else's private keys, that is a different story and something that is currently under discussion.

        1. Michael Wojcik Silver badge

          Re: the oldest bad practice in the book.

          Which CAs ask for your private keys, if I may ask?

          A number of CAs provide, or used to provide, "one step" certificate generation, where they generate a key pair and a DV or personal certificate[1] and send them both to the user. It's to save people the effort of learning what a CSR is, because why go to the trouble of understanding even the basic concepts of the security mechanism you're trying to use?

          DigiCert appears to require a CSR even for DV certificates, which is good.

          Since 2012 it's a violation of the CABF Baseline Requirements for the CA to archive the subscriber's private key (so Trustico was in violation of the CABF BR; that's just an industry agreement, but the violation may doom their business). But CAs are still allowed to generate the key pair:

          Parties other than the Subscriber SHALL NOT archive the Subscriber Private Key.

          If the CA or any of its designated RAs generated the Private Key on behalf of the Subscriber, then the CA SHALL encrypt the Private Key for transport to the Subscriber.

          (Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.0, 10.2.4)

          [1] The EV certificate rules don't allow this, fortunately. It's one of those odd cases where the EV rules actually do something significant to improve security.

      3. Michael Wojcik Silver badge

        Re: the oldest bad practice in the book.

        I have seen, in a book my son was lent by his school teacher, about a year ago, exactly this sort of code. Take variable from $_GET, build string by concatenation, pass to SQL. No input checking at all.

        Yes. I have just such a textbook sitting on the shelf in my office at my other house. (If I had it here I'd provide the full citation.) It's a text on creating "database-driven websites with PHP".

        The textbook I have does recommend enabling PHP's auto-quoting support, but that's a meagre mitigation and far inferior to using prepared statements and/or stored procedures.

        For that matter, mixing the presentation logic and data access in the same inline PHP rubbish, rather than 1) having a proper data access layer, and 2) at least using slightly less awful, well-partitioned, OO PHP in place of the ad hoc interpolated procedural code would be much better than scattering calls to the MySQL provider throughout the backend code.

    2. GnuTzu

      Running as Root!!!

      A resume generating event...

    3. Anonymous Coward
      Anonymous Coward

      > Whoever is responsible for that website needs to be fired and never allowed to use a computer again.

      Looking at the size of the reseller company, I would be surprised if the "developer" (loosely speaking) of that website isn't the managing director himself. This is probably a one or two man shop.

    4. Anonymous Coward
      Anonymous Coward

      > Incompetance and malpractice doesn't even begin to describe it.

      Ok, let me try to help: what about incompetence and malpractice?

      1. Wzrd1 Silver badge

        "Ok, let me try to help: what about incompetence and malpractice?"

        No, I'll help.

        A purer example of a fundamental lack of due care and due diligence has never been presented to a court of law until this occurred.

        Do expect to see this company in receivership in the near future.

  3. Velv
    Trollface

    "Trustico stopped selling Symantec-branded certificates in mid-February, and will in future resell Comodo's HTTPS certs"

    Trustico stopped selling certificates in March

    FIFY

    1. Anonymous Coward
      Anonymous Coward

      > Trustico stopped selling certificates in March

      Looks like. See post by Eric Mill here¹: https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/wxX4Yv0E3Mk

      I do note btw that the reseller is a company with all of £300 of capital. That and their accounts should give an idea of their means and from there, their capacity to run complex security infrastructure.

      ¹ There is no way to link to a specific post, not even after opening my browser's developer tools and trying to find an anchor. Fucking Google crap.

  4. shedied

    There was this one message

    All your base are belong to us

  5. Trollslayer
    Flame

    The CEO

    can't pass the buck this time.

  6. EJ

    "We have come up with a solution that's really, really I think very good. Now, I have to tell you, it's an unbelievably complex subject. Nobody knew digital certificates and input validation could be so complicated."

    - Donald J Trustico

  7. Anonymous Coward
    Anonymous Coward

    Die private Schlüssel?

    What were they doing in the hands of the reseller in the first place? Why did anyone else other than the certificate owner had a copy? Doesn't look like they were very private, were they?

    1. Michael Wojcik Silver badge

      Re: Die private Schlüssel?

      What were they doing in the hands of the reseller in the first place?

      See my reply above. The CABF lets CAs (or resellers) generate key pairs for (clueless) certificate owners. The CA / reseller is not supposed to keep the private key, however.

      1. Anonymous Coward
        Anonymous Coward

        Re: Die private Schlüssel?

        "See my reply above. The CABF lets CAs (or resellers) generate key pairs for (clueless) certificate owners. The CA / reseller is not supposed to keep the private key, however."

        I know of a certain national defence concern who does indeed retain the private keys. That habituation was pivotal in certain data exfiltration cases and resulted in convictions.

        That said, that is a rather niche enterprise, with unique requirements.

  8. Anonymous Coward
    Anonymous Coward

    You've got to love the idiots on that twitter post

    quoted on ElReg: https://twitter.com/cujanovic/status/969229397508153350

    I mean the ones slagging off the Serbian bloke for digging into this. They seem to run some sort of "security" consultancy too. One single sentence that I expect anyone who did one or two semesters of law will be familiar with: "state of necessity".

    You would think that someone running a "security" business would have some form of grounding on basic legal principles?

    Scary the sort of charlatans you can find out there, and end up throwing money to if you don't know any better.

  9. Anonymous Coward
    Anonymous Coward

    Není to hezké?

    The article *does* say trivial, but you're not going to believe this: https://twitter.com/svblxyz/status/969220402768736258

    Jesus fucking Χριστός!

    1. Wzrd1 Silver badge

      Re: Není to hezké?

      "The article *does* say trivial, but..."

      Everything is trivial to the incompetent.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon