Certificates ensuring the reliability of 23,000 sites have recently been revoked by DigiCert. According to Trustico, who sold these keys, it is to anticipate the future refusal of these certificates by Google Chrome. The reseller has sent the private keys of these certificates to the authority, to prove their authenticity. The beginning of an important debate. The transport of data on the web becomes more and more secure, with the generalization of encryption of connections, via the TLS protocol. Its symbol: the green padlock and the "HTTPS" in browsers. To ensure this security, a site must have a certificate issued by a CA that each browser chooses to trust. In case of repeated failures, for example insufficient checks, an authority loses the confidence of the browsers, thus its business.
Trustico, a web-based certificate reseller, is at odds with DigiCert, one of the leading certification authorities on the web. Usually, Trustico sells to its customers certificates issued by DigiCert and its subsidiaries. This month, the company called for the revocation of 50,000 of them.
"We have been in touch with DigiCert several times this week to inform them that we are no longer allowing them to hold our active SSL certificates on their platform," Trustico said in a February 28 statement.
The company justifies this claim by Google's pending refusal of Symantec's certificates, which DigiCert purchased from the CA in August. Symantec has been multiplying bad practices for years, causing Google to progressively decline old certificates in Chrome. The takeover by DigiCert must therefore sign a cleansing of the authority.
This is where the case gets complicated: according to DigiCert, these problems are a pretext to cover a blunder of Trustico himself.
23,000 private keys sent by e-mail