This seem legit...

by darkbot on 10/31/2013, 11:52 AM with 57 comments
  • by chmod775 on 10/31/2013, 12:15 PM

    To clarify: DO NOT DO THIS.

    1. Never give your private key to anyone

    2. Especially not if it is sent over an unencrypted connection (the site doesn't even use https)

    3. Don't. Just don't.

    This is either the weakest attempt of the NSA to collect private SSL keys ever, or this company actually has zero knowledge of the product they're selling and shouldn't be trusted with your site's security

  • by icebraining on 10/31/2013, 1:03 PM
  • by jawr on 10/31/2013, 12:42 PM

    I contacted their support:

    Me: I wanted to know more about your certificate key matcher isn't the private key always meant to remain... private?

    Emanuele: Yes, it should. We offer the tool to help verify the correspondence SSL certificate it is lost.

    Me: But it would be sent over HTTP and viewable to anyone along the network.

    Emanuele: The page can also be accessed through HTTPS.

    Me: I think it should be enforced. Also something like this should be done client side. Perhaps using crypto.js

    Emanuele: OK, I will pass your comment to our General manager.

  • by trustico on 10/31/2013, 2:21 PM

    Hi,

    The tool was made available for customers to legitimately check if the Private Key matched the SSL Certificate that was being installed - a common question and feature request from our customers.

    However, upon review of the comments made in the internet community we have made a decision to remove this specific tool and to review all other tools that we make publicly available via our websites.

    We also saw a heavy attempt to hack/abuse this tool over the past few hours, perhaps to look for exploits, an action I find absurd for those who make out to be security conscious.

    I welcome any further comments on how we can improve our service and do hope that our actions to remove the tool today were prompt and satisfactory.

    Zane Lucas General Manager Trustico Online Limited

  • by terhechte on 10/31/2013, 12:48 PM

    BITCOIN ADDRESS MATCHER

    Want to make sure that your bitcoin address works? Just send money to

    1JqjU7zBvbhyrDFjtJG6xAwMm5BUVmtpau

    and if you don't receive an error, you can rest assured that your bitcoin address works!

  • by a3_nm on 10/31/2013, 12:54 PM
  • by ctz on 10/31/2013, 1:31 PM

    It would be really cool if they parsed the issuer from the certificate you provided, and informed your CA that your private key was just compromised if the key matched.

  • by cornet on 10/31/2013, 1:34 PM

    So I tweeted them earlier and just got this response:

    "Hello, the tool will be removed from all our websites within the next 30 minutes. Thanks."

    https://twitter.com/MrTrustico/status/395905251313586176

  • by mgbmtl on 10/31/2013, 12:30 PM

    Wow, at first I seriously thought this site was a fake copy of the official Trustico site (they have trustico.ca, trustico.com, etc)... but the form exists on all their sites:

    http://www.trustico.ca/ssltools/match/cert-and-key-pem/check...

  • by tankenmate on 10/31/2013, 12:16 PM

    Woah, I couldn't ever envisage ever trusting a "security company" that not only encouraged you to disclose your private key, but also provided a form for doing it over a non encrypted connection!

    My personal opinion is don't use these guys; this is either a school boy error/complete incompetence or totally dubious.

  • by fosap on 10/31/2013, 12:41 PM

    But has a verysign logo. It has be trustworthy.

  • by ge0rg on 10/31/2013, 12:45 PM

    I just tested the form with a key+cert pair I created for this sole purpose. It actually performs as advertised - it checks if key and cert belong together.

  • by trustico on 10/31/2013, 1:35 PM

    Hello,

    that tool will be removed from all our websites within the next 30 minutes.

    Trustico Online Limited

  • by elithrar on 10/31/2013, 12:34 PM

    I had these guys @reply me on Twitter when I tweeted about how it's easier to figure out what cipher suite to use compared to figuring out what SSL product I need.

    They were helpful but thank god I didn't buy a cert from them: this page is a terrible, terrible idea that erodes their trust completely.

  • by hellerbarde on 10/31/2013, 2:26 PM

    And it's been taken down. This is still up though and just as bad:

    http://www.trustico.ch/ssltools/convert/pem-key-to-der/conve...

  • by danso on 10/31/2013, 12:54 PM

    At the very least, I hope a successful submission is rewarded by a redirect to: http://www.youtube.com/watch?v=awK0NrgHUbk

  • by racbart on 10/31/2013, 12:40 PM

    This should be a feature on the NSA website.

  • by dspillett on 10/31/2013, 2:52 PM

    "The page you have tried to access is not responding properly and we can't display it at the moment." - looks like they are embarrassed enough to take it down. Anyone have the original text for me to snigger at? Way-back machine and Google don't seem to have it cached.

  • by scottydelta on 10/31/2013, 12:51 PM
  • by codfrantic on 10/31/2013, 12:16 PM

    I was hoping it was at least javascript...

  • by on 10/31/2013, 12:52 PM

    undefined

  • by Kiro on 10/31/2013, 2:15 PM

    What was it?

  • by jawr on 10/31/2013, 12:25 PM

    Brilliant.

  • by christopherryan on 10/31/2013, 12:50 PM

    GOSPEL ARTIST POSES NUDE!

    Evon Latrail is the author of a children's book "When Mommy Went to Heaven". She wrote/recorded a few songs; "Lord Bless My Enemies. And, even has a song entitled, "Can't You See (Abortion Is Murder). She went Pro-life after having a abortion! Really???? Now here is a photo of her posing in chocolate as a "Swamp Girl". The word Hypocrite is floating around somewhere. This story has made front page news in the local paper. Go to Google or YouTube and search, Evon Latrail.