
This seem legit... - darkbot
http://www.trustico.ch/ssltools/match/cert-and-key-pem/check-if-certificate-and-key-match.php
======
chmod775
To clarify: DO NOT DO THIS.

1\. Never give your private key to anyone

2\. Especially not if it is sent over an unencrypted connection (the site
doesn't even use https)

3\. Don't. Just don't.

This is either the weakest attempt of the NSA to collect private SSL keys
ever, or this company actually has zero knowledge of the product they're
selling and shouldn't be trusted with your site's security

~~~
namuol
I love how suddenly the NSA is the only entity out there who has an interest
in private keys.

~~~
nraynaud
at least we know that's it is the most interested, funded and staffed to do
it.

~~~
ZirconCode
No, they're just the only ones dumb enough to get caught ;)

------
icebraining
Apparently the feature is widespread:

[https://www.sslshopper.com/certificate-key-
matcher.html](https://www.sslshopper.com/certificate-key-matcher.html)

[http://www.ssltools.com/cert_key_match](http://www.ssltools.com/cert_key_match)

[https://certificatesssl.com/ssl-tools/match-ssl-
details.html](https://certificatesssl.com/ssl-tools/match-ssl-details.html)

[http://www.mobilefish.com/services/privatekey_match_certific...](http://www.mobilefish.com/services/privatekey_match_certificate/privatekey_match_certificate.php)

[http://sslchecker.com/matcher](http://sslchecker.com/matcher)

~~~
mgbmtl
Scary. To be fair, although this kind of tool should not exist at all, the
sslshopper tool at least has a warning, enforces https and informs users how
to check it properly on the command line. The others, however, do not.

------
jawr
I contacted their support:

Me: I wanted to know more about your certificate key matcher isn't the private
key always meant to remain... private?

Emanuele: Yes, it should. We offer the tool to help verify the correspondence
SSL certificate it is lost.

Me: But it would be sent over HTTP and viewable to anyone along the network.

Emanuele: The page can also be accessed through HTTPS.

Me: I think it should be enforced. Also something like this should be done
client side. Perhaps using crypto.js

Emanuele: OK, I will pass your comment to our General manager.

~~~
ctz
So leaking my private key to somebody is OK if I do so over HTTPS, and even
better if I encrypt it with a javascript crypto library beforehand?

I don't think you've thought this through.

~~~
redblacktree
I think he was suggesting that, instead of sending the private key to this web
server, the check they're doing could be implemented client-side, thus
avoiding the need for the key to transit the wire.

I haven't been able to access the site though, so I may be way off in my
understanding of what it does.

------
trustico
Hi,

The tool was made available for customers to legitimately check if the Private
Key matched the SSL Certificate that was being installed - a common question
and feature request from our customers.

However, upon review of the comments made in the internet community we have
made a decision to remove this specific tool and to review all other tools
that we make publicly available via our websites.

We also saw a heavy attempt to hack/abuse this tool over the past few hours,
perhaps to look for exploits, an action I find absurd for those who make out
to be security conscious.

I welcome any further comments on how we can improve our service and do hope
that our actions to remove the tool today were prompt and satisfactory.

Zane Lucas General Manager Trustico Online Limited

~~~
pliny
Since you are a site that sells SSL certificates, it would be appropriate for
you to enforce HTTPS when communicating with your website.

------
terhechte
BITCOIN ADDRESS MATCHER

Want to make sure that your bitcoin address works? Just send money to

1JqjU7zBvbhyrDFjtJG6xAwMm5BUVmtpau

and if you don't receive an error, you can rest assured that your bitcoin
address works!

~~~
chrisbridgett
[https://blockchain.info/address/1JqjU7zBvbhyrDFjtJG6xAwMm5BU...](https://blockchain.info/address/1JqjU7zBvbhyrDFjtJG6xAwMm5BUVmtpau)

Watching with interest... xD

~~~
terhechte
Empty as expected :) Edit: Nevermind, somebody send a cent. Your address
works! ;)

------
a3_nm
Related: [http://www.inutile.ens.fr/estatis/password-security-
checker/](http://www.inutile.ens.fr/estatis/password-security-checker/)

~~~
icebraining
I love the "Test another password?" prompt. I wonder how many people actually
use it.

~~~
NotOscarWilde
c. You agree to pay $ 100,000 for your use of the Estatis Free Password
Security Checker if we ever ask for it.

~~~
hellerbarde
I was assuming you were joking. but no, it's in there, point 6.c)

... Wat?

EDIT: I am a dumbass, the terms and conditions are clearly facetious. Read
them, they are hilarious in parts.

------
ctz
It would be really cool if they parsed the issuer from the certificate you
provided, and informed your CA that your private key was just compromised if
the key matched.

------
cornet
So I tweeted them earlier and just got this response:

"Hello, the tool will be removed from all our websites within the next 30
minutes. Thanks."

[https://twitter.com/MrTrustico/status/395905251313586176](https://twitter.com/MrTrustico/status/395905251313586176)

~~~
cornet
Update: and it's gone

~~~
theseoafs
What was it?

------
mgbmtl
Wow, at first I seriously thought this site was a fake copy of the official
Trustico site (they have trustico.ca, trustico.com, etc)... but the form
exists on all their sites:

[http://www.trustico.ca/ssltools/match/cert-and-key-
pem/check...](http://www.trustico.ca/ssltools/match/cert-and-key-pem/check-if-
certificate-and-key-match.php)

------
tankenmate
Woah, I couldn't ever envisage ever trusting a "security company" that not
only encouraged you to disclose your private key, but also provided a form for
doing it over a non encrypted connection!

My personal opinion is don't use these guys; this is either a school boy
error/complete incompetence or totally dubious.

------
fosap
But has a verysign logo. It has be trustworthy.

------
ge0rg
I just tested the form with a key+cert pair I created for this sole purpose.
It actually performs as advertised - it checks if key and cert belong
together.

~~~
robzyb
You have not provided any proof that it actually performs as advertised.

Maybe it just says that for any and all inputs??

~~~
ge0rg
To clarify the issue: I performed the following steps:

1\. created a CA key+cert (selfsigned) 2\. created a keypair K 3\. signed the
public key of K with the CA 4\. uploaded the CA-signed cert and the private
key of K --> "Your Certificate and Key match" 5\. uploaded the CA cert (not
the one of K) and the private key of K --> "Certificate an Key do NOT match."

------
trustico
Hello,

that tool will be removed from all our websites within the next 30 minutes.

Trustico Online Limited

~~~
jcromartie
Congratulations. Your customer base today = (customer base yesterday) -
(hacker news readership).

------
elithrar
I had these guys @reply me on Twitter when I tweeted about how it's easier to
figure out what cipher suite to use compared to figuring out what SSL product
I need.

They were helpful but thank god I didn't buy a cert from them: this page is a
terrible, terrible idea that erodes their trust completely.

------
hellerbarde
And it's been taken down. This is still up though and just as bad:

[http://www.trustico.ch/ssltools/convert/pem-key-to-
der/conve...](http://www.trustico.ch/ssltools/convert/pem-key-to-der/convert-
pem-private-key-to-der.php)

------
danso
At the very least, I hope a successful submission is rewarded by a redirect
to:
[http://www.youtube.com/watch?v=awK0NrgHUbk](http://www.youtube.com/watch?v=awK0NrgHUbk)

------
racbart
This should be a feature on the NSA website.

------
dspillett
"The page you have tried to access is not responding properly and we can't
display it at the moment." \- looks like they are embarrassed enough to take
it down. Anyone have the original text for me to snigger at? Way-back machine
and Google don't seem to have it cached.

------
scottydelta
haha, Its hilarious, reminded me of this
[http://d24w6bsrhbeh9d.cloudfront.net/photo/350850_700b_v1.jp...](http://d24w6bsrhbeh9d.cloudfront.net/photo/350850_700b_v1.jpg)

~~~
fishbacon
This is of course an old joke from bash.[1]

[1][http://www.bash.org/?244321](http://www.bash.org/?244321)

~~~
scottydelta
yes it is, actually this one is better ;)

------
codfrantic
I was hoping it was at least javascript...

------
Kiro
What was it?

------
jawr
Brilliant.

