23,000 Digital Certificate Private Keys Compromised

Summary

23,000 SSL/TLS certificates issued by digital certificate reseller Trustico are being revoked after Trustico emailed the private keys for the certificates unencrypted to certificate authority DigiCert. Trustico recovered the keys from “cold storage,” a term used to describe offline storage. Under CA/Browser Forum Baseline Requirements, resellers are not permitted to archive certificate private keys as only site owners should have access to this information. By storing these private keys, an issuer may be putting that site’s security at risk. Digital certificates are used by websites to create an encrypted connection using public key cryptography, ensuring that browsing traffic cannot be read. If a threat actor is able to obtain a site’s private key for their certificate, they may be able to conduct a Man-in-the-Middle (MitM) attack and intercept the site’s traffic. DigiCert is in the process of revoking the compromised certificates. 

Recommendations

If you receive an invalid certificate notification when browsing to a website, the NJCCIC recommends avoiding inputting sensitive personal or financial information into that site until they have obtained valid certificates in order to safeguard your information.