Can an HTTPS server accidentally leak its private key?
up vote
1
down vote
favorite
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
tls certificates cryptography webserver
add a comment |
up vote
1
down vote
favorite
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
tls certificates cryptography webserver
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
tls certificates cryptography webserver
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
tls certificates cryptography webserver
tls certificates cryptography webserver
asked 4 hours ago
John Blatz
434413
434413
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
up vote
4
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:
We attacked ourselves from outside, without leaving a trace. Without
using any privileged information or credentials we were able steal
from ourselves the secret keys used for our X.509 certificates, ...
Aside from bugs like that,
Is it even technically possible for a bad website admin to
misconfigure a site to send the private key as part of the certificate
chain?
Sure. If you specify the wrong file in, for example, SSLCertificateChainFile
then Boom! There goes the private key.
Doing so is not recommended.
1
I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
– safesploit
3 hours ago
If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.
can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
– Lie Ryan
3 hours ago
add a comment |
up vote
1
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Strictly speaking, a private key should have permissions dr--------
, with root:root
. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.
Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:
SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem
So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.
For context:
- Public keys -r--r--r-- root root
- Private keys -r-------- root root
add a comment |
up vote
1
down vote
Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).
There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.
While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.
DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.
edit;
I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain
New contributor
add a comment |
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:
We attacked ourselves from outside, without leaving a trace. Without
using any privileged information or credentials we were able steal
from ourselves the secret keys used for our X.509 certificates, ...
Aside from bugs like that,
Is it even technically possible for a bad website admin to
misconfigure a site to send the private key as part of the certificate
chain?
Sure. If you specify the wrong file in, for example, SSLCertificateChainFile
then Boom! There goes the private key.
Doing so is not recommended.
1
I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
– safesploit
3 hours ago
If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.
can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
– Lie Ryan
3 hours ago
add a comment |
up vote
4
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:
We attacked ourselves from outside, without leaving a trace. Without
using any privileged information or credentials we were able steal
from ourselves the secret keys used for our X.509 certificates, ...
Aside from bugs like that,
Is it even technically possible for a bad website admin to
misconfigure a site to send the private key as part of the certificate
chain?
Sure. If you specify the wrong file in, for example, SSLCertificateChainFile
then Boom! There goes the private key.
Doing so is not recommended.
1
I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
– safesploit
3 hours ago
If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.
can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
– Lie Ryan
3 hours ago
add a comment |
up vote
4
down vote
up vote
4
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:
We attacked ourselves from outside, without leaving a trace. Without
using any privileged information or credentials we were able steal
from ourselves the secret keys used for our X.509 certificates, ...
Aside from bugs like that,
Is it even technically possible for a bad website admin to
misconfigure a site to send the private key as part of the certificate
chain?
Sure. If you specify the wrong file in, for example, SSLCertificateChainFile
then Boom! There goes the private key.
Doing so is not recommended.
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:
We attacked ourselves from outside, without leaving a trace. Without
using any privileged information or credentials we were able steal
from ourselves the secret keys used for our X.509 certificates, ...
Aside from bugs like that,
Is it even technically possible for a bad website admin to
misconfigure a site to send the private key as part of the certificate
chain?
Sure. If you specify the wrong file in, for example, SSLCertificateChainFile
then Boom! There goes the private key.
Doing so is not recommended.
answered 3 hours ago
gowenfawr
51.2k11108155
51.2k11108155
1
I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
– safesploit
3 hours ago
If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.
can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
– Lie Ryan
3 hours ago
add a comment |
1
I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
– safesploit
3 hours ago
If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.
can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
– Lie Ryan
3 hours ago
1
1
I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
– safesploit
3 hours ago
I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
– safesploit
3 hours ago
If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.
can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.– Lie Ryan
3 hours ago
If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.
can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.– Lie Ryan
3 hours ago
add a comment |
up vote
1
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Strictly speaking, a private key should have permissions dr--------
, with root:root
. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.
Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:
SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem
So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.
For context:
- Public keys -r--r--r-- root root
- Private keys -r-------- root root
add a comment |
up vote
1
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Strictly speaking, a private key should have permissions dr--------
, with root:root
. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.
Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:
SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem
So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.
For context:
- Public keys -r--r--r-- root root
- Private keys -r-------- root root
add a comment |
up vote
1
down vote
up vote
1
down vote
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Strictly speaking, a private key should have permissions dr--------
, with root:root
. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.
Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:
SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem
So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.
For context:
- Public keys -r--r--r-- root root
- Private keys -r-------- root root
Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?
Strictly speaking, a private key should have permissions dr--------
, with root:root
. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.
Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?
By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:
SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem
So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.
For context:
- Public keys -r--r--r-- root root
- Private keys -r-------- root root
answered 3 hours ago
safesploit
1,587418
1,587418
add a comment |
add a comment |
up vote
1
down vote
Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).
There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.
While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.
DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.
edit;
I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain
New contributor
add a comment |
up vote
1
down vote
Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).
There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.
While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.
DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.
edit;
I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain
New contributor
add a comment |
up vote
1
down vote
up vote
1
down vote
Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).
There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.
While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.
DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.
edit;
I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain
New contributor
Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).
There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.
While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.
DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.
edit;
I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain
New contributor
edited 2 hours ago
New contributor
answered 3 hours ago
richard
112
112
New contributor
New contributor
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198468%2fcan-an-https-server-accidentally-leak-its-private-key%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown