Skip to main content
banner image
venafi logo

How Private Are Your Private Keys: Can You Rely on Your Certificate Authority for Private Key Protection?

How Private Are Your Private Keys: Can You Rely on Your Certificate Authority for Private Key Protection?

fake private keys
August 1, 2017 | Scott Carter

It’s a bit surprising, actually, how easy many organizations make it for cyber criminals to misuse their encryption. Some may even leave private keys out for hackers, like a plate of cookies for Santa.

Recently, security researcher Hanno Böck was able to obtain private keys for at least 90 valid web page certificates. And when private keys find their way onto a web server, they can no longer be considered private. The danger is that once these not-so-private keys are accessed by unauthorized parties, they can be used in a man-in-the-middle attack to read and manipulate data. That is, unless organizations detect the key misuse first.

How aware are you of your machine identities? Find out how you - and others - stack up. 

You would think that organizations would treat private keys with kid gloves. After all, they unlock the encryption that safeguards an organization’s most important information. Yet, it seems that many organizations still haven’t fully realized the implications of a private key breach. And this leads to some pretty sloppy behavior. Böck observed that “Many people are accidentally publishing their private keys. Sometimes they are released as part of applications, in Github repositories or with common filenames on web servers.”

When private keys are compromised, they must be revoked by the issuing certificate authority to minimize potential exposure. Böck points out that according to the CA Browser Forum Baseline Requirements, certificate authorities are required to revoke a compromised key within 24 hours of notification (Section in the current Baseline Requirements 1.4.8). But that may not always happen in within the times prescribed.

A particularly odd case occurred recently with a certificate issued by a leading certificate authority. According to Böck, “They revoked the certificate shortly after it had been reported, but then issued shortly after that a new certificate with the same private key. After we reported this to Comodo we learned that the same problem occurred with a second certificate. In both cases Comodo revoked these new certificates immediately.”

This caused Böck to ponder how thoroughly certificate authorities actually check key compromises. His initial assumption was that “Obviously one would expect that they cryptographically verify that an exposed private key really is the private key belonging to a certificate.” But he wanted to test that premise.

First, he set about to forge a private key, which he would then use to try to trick leading certificate authorities into revoking certificates with a fake private key. Once that was accomplished, he reported the fake key as compromised—hidden among reports for several other legitimate key compromises that he had unearthed.

Here’s what Böck reported:

  • Symantec revoked a certificate based on a forged private key
  • Comodo didn’t fall for it. They answered Bock with a message that there was something wrong with this key.

Fully aware of the implications of this type of error, he was quick to point out that “No harm was done here, because the certificate was only issued for my own test domain. But I could’ve also faked private keys of other peoples' certificates. Very likely Symantec would have revoked them as well, causing downtimes for those sites. I even could’ve easily created a fake key belonging to Symantec’s own certificate.”

Do you know who has access to your private keys? Find out.  

Laudably, Symantec took quick action to immediately uncover and correct faulty processes. They reassured customers that they “take these findings seriously and always appreciate opportunities to improve our CA operations.”

But the cold, hard reality is that this type of process error could happen to any certificate authority. To minimize any potential impact, organizations need to be prepared to manage all keys and certificates centrally and have the capabilities to take quick action if there is a process error that compromises security. After all, it’s the organizations who stand to lose the most from a key compromise, so they need to be prepared to monitor and remediate their own key and certificate security.

Do you have the protection you need to detect private key compromises or misuse?

Learn more about machine identity management. Explore now.

Like this blog? We think you will love this.
what is an ssl certificate
Featured Blog

What is an X.509 Digital Certificate?

SSL/TLS certificates are X.509 certificates with Extended Key Usage: Server Authentication (1.3.6

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more