Not sure what is more shocking:
A CA having 23k private keys of their customer's certs and the CEO emailing them: http://blog.koehntopp.info/index.php/3075-how-not-to-run-a-ca/
A CA having a website which allows RCE as root, from a website input: https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/
I'm just speechless.
@dethos trustico was not a ca
They were a reseller.
They generated the CSRs and private keys for their customers on their web server.
@gme You are right, my mistake. Nevertheless, in practice they provide the certificates to their customers and are an important part of their customers security setup. So I still think it was a disaster.
@dethos no doubt
Fuckup of the decade
@dethos These days? Neither. I'd call it par for the course.
@dethos They're the same CA, no?
@samis Yes the same entity
This is a personal and private instance.