Skip to main content
banner image
venafi logo

Trustico Update: 19K Compromised Private Keys Still Exposed

Trustico Update: 19K Compromised Private Keys Still Exposed

Trustico private key compromise
March 7, 2018 | Scott Carter

Let’s say you’re a Trustico customer and you learn that your private keys may have just been emailed to a Certificate Authority. Even if you assume that email was encrypted, you should also assume that your certificates are now compromised. So, your top priority would be to locate and replace these private keys and the corresponding certificates, right? Unfortunately, the data indicates that thousands of Trustico customers haven’t taken that action.

Our researchers used Venafi TrustNet, the industry’s first enterprise certificate reputation service, to do a quick forensic analysis on how many Trustico certificates had been revoked in the week since the Trustico CEO emailed 23,000 private keys to DigiCert. They learned that within that timeframe, only around 3,500 of the impacted keys had been revoked. That leaves roughly 19,500 compromised private keys still in need of immediate attention.

In some ways, this sluggish response to a Certificate Authority compromise is not altogether surprising. A certain number of organizations don’t realize the enormous security risks connected with an error like this. In less urgent situations, we’ve seen the same procrastination. For example, a year after the deadline to replace deprecated SHA-1 certificates, there are still many in use—even though major browsers began flagging them with security warnings and a collision attack has been proven possible.

But even organizations who realize the full implications of not reacting quickly to compromised or vulnerable keys and certificates may not have the tools they need to do so. Without accurate visibility into their full inventory of keys and certificates, it’s nearly impossible to quickly locate those that need to be revoked and replaced. Nor will they be able to validate that they have found and addressed all exposed keys and certificates.

Hari Nair, director of product management and cryptographic researcher for Venafi cautions, “This event is just one example of the many reasons why organizations that may have been affected need to perform immediate risk assessment of their key and certificate management program—from issuance to revocation. Any time an organization allows any third party to handle their private keys, they are opening the door to the possibility that really bad things can happen.”

This risk extends beyond Trustico customers to any organization that has outsourced the generation of private keys to a reseller. Dan Goodin Security Editor at Ars Technica also weighs in on the importance of securing private keys: “Generally speaking, private keys for TLS certificates should never be archived by resellers, and, even in the rare cases where such storage is permissible, they should be tightly safeguarded. A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren't followed.”

Nick Hunter, senior digital trust researcher for Venafi recommends, “If you are trusting a reseller to generate your certificate signing requests (CSRs) and then trusting them with your private keys, you need to rethink your strategy. Enterprises should always have total control of their private keys, as they secure data and communications, and your customers trust you to protect those keys at all costs.”

If you are concerned about maintaining acceptable levels of risk, you should start by bringing key generation in house and centralizing your key management. Hunter concludes, “The best way to maintain consistent control of your private keys is through protected automated, centralized key management.”

Do you know who has access to your private keys?

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat