Hanno Böck. Journo tests legitimacy processes.
A bogus private digital key was sufficient to fool security vendor Symantec into revoking a transport layer security (TLS) certificate for a domain, a researcher has discovered.
German freelance infosec journalist Hanno Böck set out to test if certificate authorities like Comodo and Symantec have rigorous processes in place to check the legitimacy of private keys for digital certificates.
Certificate authorities are expected to revoke TLS credentials if the private keys have been compromised; Böck said certificate issuers should cryptographically check that the private key in question belongs to the purported TLS credential.
Böck registered two test domains with his identity hidden, and obtained TLS certificates via Symantec’s RapidSSL brand as well as Comodo.
He then created fake private keys for both domains, uploaded them to the Pastebin website, and reported to Comodo and Symantec that the keys had been compromised.
Where Comodo spotted that the key for the domain certificate was fake, Symantec accepted the one in Böck’s report and revoked the certificate.
“No harm was done here, because the certificate was only issued for my own test domain. But I could’ve also faked private keys of other peoples’ certificates,” he wrote.
“Very likely Symantec would have revoked them as well, causing downtimes for those sites. I even could’ve easily created a fake key belonging to Symantec’s own certificates.”
He also noted that Symantec didn’t tell the domain owner the certificate was revoked because of a key compromise, potentially leaving administrators unable to figure out why the credential had been pulled.
Böck said there was no excuse for Symantec’s approach.
“It indicates that they
View the Original article