Skip to main content
banner image
venafi logo

Microsoft TLS Leak: Are Your Keys Exposed?

Microsoft TLS Leak: Are Your Keys Exposed?

microsoft TLS leak
December 12, 2017 | Eva Hanscom

Last week, Matthias Gliwka, software developer and cyber security researcher, published a Medium article detailing something shocking: Microsoft was leaking TLS private keys in its cloud ERP product.

Gilwka wrote that when he was checking on a business-critical application via RDP, he found a valid TLS certificate hiding in plain sight. “This certificate is shared across all sandbox environments, even those hosted for other Microsoft customers,” wrote Gilwka. “It’s used to encrypt the web traffic between the users of the software and the server. All you need to extract this certificate is access to ANY sandbox environment.”

Gilwka immediately contacted the Microsoft Security Response Center via PGP-encrypted mail detailing the leak. Unfortunately, it took months for the issue to be acknowledged and fixed by Microsoft.

Ultimately, Gilwka’s experience underscores the importance of machine identity protection, especially in the cloud. Even major corporations like Microsoft struggle with securing their private keys and this problem is getting worse since machine identities in the cloud can change rapidly.

“Microsoft shows how hard it is to protect machine identities and illustrates how powerful they are,” said Kevin Bocek, chief security strategist for Venafi. “Like many other businesses, Microsoft has had vulnerabilities with machine identities in the past, including: leaking Xbox Live keys to the Internet and failing to stop an outage from an expired certificate”

Sadly, machine identity protection is not well understood in the industry and this may have played a factor in Microsoft’s slow response to the leak. “From the first notification to the company taking decisive action, it took months for Microsoft to fix this vulnerability,” continued Bocek. “It’s not clear if Microsoft really didn’t understand the vulnerability, didn’t realize the scope of problem, or couldn’t take direct action because they didn’t have the intelligence necessary to track down the problem. However, it was clear is this type of vulnerability existed across business-critical Internet services.”

Ultimately, organizations should learn from Gilwka’s disclosure. “Businesses need to take action to protect themselves from similar leaks,” concluded Bocek. “It’s imperative that organizations use automated controls to protect machine identities like TLS certificates.”

Are you protecting your machine identities?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

lawyer reading from legal books on a desk, with a scale in the foreground

Do We Trust Governments to Effectively Regulate Privacy? [Ask Security Professionals]

hands reaching out of laptop screen holding ballot box, another person's hand casting a vote
Encryption

Will Encryption Backdoors Hurt Election Infrastructure? Security Professionals Say Yes.

Man standing in front of a cyber-secured world.

What If You Could Guarantee Eliminating Outages in Your Organization?

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat