Updated on 2022-12-01: e-Tugra vulnerabilities
Security researcher Ian Carroll has disclosed a series of misconfigurations in the infrastructure of e-Tugra, a Turkey-based certificate authority. Carroll said the misconfigured infrastructure allowed them to get access to backend systems controlling the CA’s systems and even to massive troves of highly-sensitive customer data. Read more: Security concerns with the e-Tugra certificate authority
“In many regards, certificate authorities are audited comprehensively against industry-specific audit standards. Certificate authorities also routinely get hacked. Despite this, not a single certificate authority runs a bug bounty program, and of the major CAs, only GlobalSign and Let’s Encrypt even offer a security.txt to help disclose issues. Only an annual penetration is generally required of CAs.”
Overview: e-Tugra certificate authority exposing internal systems to the internet
Certificate authorities are important. They vouch for the legitimacy of websites that you visit online with HTTPS certificates and are trusted by the big browsers. But Carroll found e-Tugra, a Turkey-based certificate authority, had exposed internal administrative tools and systems to the internet with their default credentials published on the exposed pages themselves. Carroll received no response from the authority after privately disclosing the issue. Read more: Security concerns with the e-Tugra certificate authority
