Can an HTTPS server accidentally leak its private key?











up vote
1
down vote

favorite












Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?










share|improve this question


























    up vote
    1
    down vote

    favorite












    Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?










    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?










      share|improve this question













      Are there any known cases of HTTPS websites leaking the private key of their SSL certificate? Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?







      tls certificates cryptography webserver






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 4 hours ago









      John Blatz

      434413




      434413






















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          4
          down vote














          Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




          Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:




          We attacked ourselves from outside, without leaving a trace. Without
          using any privileged information or credentials we were able steal
          from ourselves the secret keys used for our X.509 certificates, ...




          Aside from bugs like that,




          Is it even technically possible for a bad website admin to
          misconfigure a site to send the private key as part of the certificate
          chain?




          Sure. If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.



          Doing so is not recommended.






          share|improve this answer

















          • 1




            I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
            – safesploit
            3 hours ago










          • If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key. can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
            – Lie Ryan
            3 hours ago




















          up vote
          1
          down vote














          Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




          Strictly speaking, a private key should have permissions dr--------, with root:root. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.




          Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?




          By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:



              SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
          SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
          SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem


          So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.



          For context:




          • Public keys -r--r--r-- root root

          • Private keys -r-------- root root






          share|improve this answer




























            up vote
            1
            down vote













            Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).



            There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.



            While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.




            DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.




            edit;
            I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain






            share|improve this answer










            New contributor




            richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.


















              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "162"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














               

              draft saved


              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198468%2fcan-an-https-server-accidentally-leak-its-private-key%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              4
              down vote














              Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




              Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:




              We attacked ourselves from outside, without leaving a trace. Without
              using any privileged information or credentials we were able steal
              from ourselves the secret keys used for our X.509 certificates, ...




              Aside from bugs like that,




              Is it even technically possible for a bad website admin to
              misconfigure a site to send the private key as part of the certificate
              chain?




              Sure. If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.



              Doing so is not recommended.






              share|improve this answer

















              • 1




                I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
                – safesploit
                3 hours ago










              • If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key. can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
                – Lie Ryan
                3 hours ago

















              up vote
              4
              down vote














              Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




              Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:




              We attacked ourselves from outside, without leaving a trace. Without
              using any privileged information or credentials we were able steal
              from ourselves the secret keys used for our X.509 certificates, ...




              Aside from bugs like that,




              Is it even technically possible for a bad website admin to
              misconfigure a site to send the private key as part of the certificate
              chain?




              Sure. If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.



              Doing so is not recommended.






              share|improve this answer

















              • 1




                I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
                – safesploit
                3 hours ago










              • If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key. can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
                – Lie Ryan
                3 hours ago















              up vote
              4
              down vote










              up vote
              4
              down vote










              Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




              Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:




              We attacked ourselves from outside, without leaving a trace. Without
              using any privileged information or credentials we were able steal
              from ourselves the secret keys used for our X.509 certificates, ...




              Aside from bugs like that,




              Is it even technically possible for a bad website admin to
              misconfigure a site to send the private key as part of the certificate
              chain?




              Sure. If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.



              Doing so is not recommended.






              share|improve this answer













              Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




              Yes - the Heartbleed bug involved memory leaks out of the HTTP server such that:




              We attacked ourselves from outside, without leaving a trace. Without
              using any privileged information or credentials we were able steal
              from ourselves the secret keys used for our X.509 certificates, ...




              Aside from bugs like that,




              Is it even technically possible for a bad website admin to
              misconfigure a site to send the private key as part of the certificate
              chain?




              Sure. If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key.



              Doing so is not recommended.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered 3 hours ago









              gowenfawr

              51.2k11108155




              51.2k11108155








              • 1




                I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
                – safesploit
                3 hours ago










              • If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key. can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
                – Lie Ryan
                3 hours ago
















              • 1




                I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
                – safesploit
                3 hours ago










              • If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key. can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
                – Lie Ryan
                3 hours ago










              1




              1




              I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
              – safesploit
              3 hours ago




              I had completely forgotten about Heartbleed. Wikipedia has a good page about Heartbleed - Root causes, possible lessons, and reactions
              – safesploit
              3 hours ago












              If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key. can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
              – Lie Ryan
              3 hours ago






              If you specify the wrong file in, for example, SSLCertificateChainFile then Boom! There goes the private key. can you provide reference that this is what will actually happen? AFAIK, this shouldn't happen as people commonly put all the three SSLCertificate*File into the same file.
              – Lie Ryan
              3 hours ago














              up vote
              1
              down vote














              Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




              Strictly speaking, a private key should have permissions dr--------, with root:root. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.




              Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?




              By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:



                  SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
              SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
              SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem


              So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.



              For context:




              • Public keys -r--r--r-- root root

              • Private keys -r-------- root root






              share|improve this answer

























                up vote
                1
                down vote














                Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




                Strictly speaking, a private key should have permissions dr--------, with root:root. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.




                Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?




                By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:



                    SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
                SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
                SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem


                So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.



                For context:




                • Public keys -r--r--r-- root root

                • Private keys -r-------- root root






                share|improve this answer























                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote










                  Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




                  Strictly speaking, a private key should have permissions dr--------, with root:root. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.




                  Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?




                  By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:



                      SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
                  SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
                  SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem


                  So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.



                  For context:




                  • Public keys -r--r--r-- root root

                  • Private keys -r-------- root root






                  share|improve this answer













                  Are there any known cases of HTTPS websites leaking the private key of their SSL certificate?




                  Strictly speaking, a private key should have permissions dr--------, with root:root. So, only the root user can read the certificate. If this is misconfigured and the web server has access to the private key, then in some circumstances such as the web server is compromised. Then here we could see the private key being 'leaked', unwittingly by the web server. This, of course, applies to any program which has read access to the private key though.




                  Is it even technically possible for a bad website admin to misconfigure a site to send the private key as part of the certificate chain?




                  By the configuration, I did with Apache 2, no! So, one of my web server configurations involves:



                      SSLCertificateFile /etc/apache2/ssl/safesploit.com.cert.pem
                  SSLCertificateKeyFile /etc/apache2/ssl/safesploit.com.key.pem
                  SSLCertificateChainFile /etc/apache2/ssl/fullchain.pem


                  So, while I understand your concern regarding a 'bad admin' placing the private key within the fullchain, it simply is not possible within Apache 2 vanilla, unless Apache was modified to accept this type of configuration.



                  For context:




                  • Public keys -r--r--r-- root root

                  • Private keys -r-------- root root







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 3 hours ago









                  safesploit

                  1,587418




                  1,587418






















                      up vote
                      1
                      down vote













                      Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).



                      There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.



                      While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.




                      DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.




                      edit;
                      I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain






                      share|improve this answer










                      New contributor




                      richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






















                        up vote
                        1
                        down vote













                        Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).



                        There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.



                        While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.




                        DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.




                        edit;
                        I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain






                        share|improve this answer










                        New contributor




                        richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.




















                          up vote
                          1
                          down vote










                          up vote
                          1
                          down vote









                          Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).



                          There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.



                          While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.




                          DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.




                          edit;
                          I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain






                          share|improve this answer










                          New contributor




                          richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          Yes, via either misconfiguration or as-yet unknown misconfigurations. I won't repeat the content of @gowenfawr 's answer, but TLS 1.3 intends to mitigate this via removing support for ciphers and potentially insecure configurations (https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/).



                          There is also the SSL v2 vulnerability known as DROWN (https://drownattack.com/) where previously SSL v2 was known to be insecure but many installations left it enabled for compatibility reasons.



                          While not ideal, this led to the possibility of extracting the key from a server that used the same keys or certificate but happened to be running SSL v2, even (potentially) exposing the contents of TLS 1.2 services using the same certificate.




                          DROWN shows that merely supporting SSLv2 is a threat to modern servers and clients. It allows an attacker to decrypt modern TLS connections between up-to-date clients and servers by sending probes to a server that supports SSLv2 and uses the same private key.




                          edit;
                          I realised I didn't answer your question. Yes you can serve up your private key on a misconfigured web server, or as part of the chain







                          share|improve this answer










                          New contributor




                          richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          share|improve this answer



                          share|improve this answer








                          edited 2 hours ago





















                          New contributor




                          richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          answered 3 hours ago









                          richard

                          112




                          112




                          New contributor




                          richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.





                          New contributor





                          richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






                          richard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






























                               

                              draft saved


                              draft discarded



















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198468%2fcan-an-https-server-accidentally-leak-its-private-key%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

                              Mangá

                              Eduardo VII do Reino Unido