2. Especially not if it is sent over an unencrypted connection (the site doesn't even use https)
3. Don't. Just don't.
This is either the weakest attempt of the NSA to collect private SSL keys ever, or this company actually has zero knowledge of the product they're selling and shouldn't be trusted with your site's security
Never attribute to malice that which is adequately explained by stupidity.
This just seems like some newbie programmer was like "hey, wouldn't it be cool if"... and built themselves a weekend project that they released on the site.
Obviously it's terrible for a site that sells SSL stuff, but concluding that this is the NSA is pretty hugely premature.
edit: Duh, didn't pick up on the sarcasm. In my defense, the parent text was way more vague at the time. :)
To be fair, I'm pretty sure he had his tongue firmly in his cheek. But point well made. Whenever this point comes up I think of a scene from 'the cube', is it a massive conspiracy or utter incompetence combined with some kind emergent process?
There are thousands of us who see the subtle implications of comments, and roll our collective eyes at the knee-jerk, replies from people who missed it. The proclivity for this type of boring, predictable reply is the main reason I don't post very much. I tend to get the "you are either stupid or a jerk!!" replies myself.
Scary. To be fair, although this kind of tool should not exist at all, the sslshopper tool at least has a warning, enforces https and informs users how to check it properly on the command line. The others, however, do not.
I think he was suggesting that, instead of sending the private key to this web server, the check they're doing could be implemented client-side, thus avoiding the need for the key to transit the wire.
I haven't been able to access the site though, so I may be way off in my understanding of what it does.
Sending it over HTTPS at least narrows down the recipient to.. who it's intended for. And I wasn't suggesting encrypting and then sending it to them, instead perform the check on the client side in a way that no information is ever sent back to their server; using the browser as a platform to run an "app".
I don't condone this at all, but if they're adamant about providing this service they should at least try and make it less damning than it already is.
The tool was made available for customers to legitimately check if the Private Key matched the SSL Certificate that was being installed - a common question and feature request from our customers.
However, upon review of the comments made in the internet community we have made a decision to remove this specific tool and to review all other tools that we make publicly available via our websites.
We also saw a heavy attempt to hack/abuse this tool over the past few hours, perhaps to look for exploits, an action I find absurd for those who make out to be security conscious.
I welcome any further comments on how we can improve our service and do hope that our actions to remove the tool today were prompt and satisfactory.
Zane Lucas
General Manager
Trustico Online Limited
Look, I have absolutely no background in security, but I could tell immediately that this was an absolutely horrible idea.
What were you thinking? That's not a loaded question. I literally have no idea what was going through the mind of anyone at your company when it was decided to build this abomination.
If you repeatedly test another password, the prompt changes. Quite hilarious.
Also, the terms and conditions are fake too.
"If you read all the legalese up to this point (or just got there by random scrolling), you probably have noticed that this document is complete nonsense. [...] First, chapter 10 of Mary Shelley's /Frankenstein/. Second, a copy of some treaty."
It would be really cool if they parsed the issuer from the certificate you provided, and informed your CA that your private key was just compromised if the key matched.
Wow, at first I seriously thought this site was a fake copy of the official Trustico site (they have trustico.ca, trustico.com, etc)... but the form exists on all their sites:
Woah, I couldn't ever envisage ever trusting a "security company" that not only encouraged you to disclose your private key, but also provided a form for doing it over a non encrypted connection!
My personal opinion is don't use these guys; this is either a school boy error/complete incompetence or totally dubious.
I just tested the form with a key+cert pair I created for this sole purpose. It actually performs as advertised - it checks if key and cert belong together.
To clarify the issue: I performed the following steps:
1. created a CA key+cert (selfsigned)
2. created a keypair K
3. signed the public key of K with the CA
4. uploaded the CA-signed cert and the private key of K --> "Your Certificate and Key match"
5. uploaded the CA cert (not the one of K) and the private key of K --> "Certificate an Key do NOT match."
I had these guys @reply me on Twitter when I tweeted about how it's easier to figure out what cipher suite to use compared to figuring out what SSL product I need.
They were helpful but thank god I didn't buy a cert from them: this page is a terrible, terrible idea that erodes their trust completely.
"The page you have tried to access is not responding properly and we can't display it at the moment." - looks like they are embarrassed enough to take it down. Anyone have the original text for me to snigger at? Way-back machine and Google don't seem to have it cached.
1. Never give your private key to anyone
2. Especially not if it is sent over an unencrypted connection (the site doesn't even use https)
3. Don't. Just don't.
This is either the weakest attempt of the NSA to collect private SSL keys ever, or this company actually has zero knowledge of the product they're selling and shouldn't be trusted with your site's security