Certigna, a major French certification authority whose certificates are trusted in all of today's most popular browsers - IE, Firefox, Safari, Opera, and many others - has somehow managed to make its private key accessible via browser for anyone who might be looking.
"A visit to the site's revocation list page - which is fully publicly accessible via a standard web browser - allows anyone and everyone to download the private key and other supposedly secret files, potentially enabling the creation of their own valid Certigna-signed SSL certificates," points out Gareth Halfacree.
This private key in the wrong hands can result in malicious pages seemingly possessing valid certificates signed by a trusted certification authority, reassuring potential victims that it's safe to give out their private or financial information or to download offered files.
According to Halfacree, Certigna has been alerted to the fact and has removed the files in question from the website, but has not offered any comment. Since it's possible that the private key has been downloaded by malicious individuals, the only thing for Certigna to do is to revoke it and create another, then reissue all the certificates and sign them with the new key.
UPDATE: Certigna has responded to the issues with the following statement:
"The private key available on the server corresponds to a test certificate used on our website certigna.fr. It is impossible to generate new valid user certificates from this key. Moreover, it is encrypted and is an SSL certificate expired since July 2010. This key does not affect our infrastructure security. The Certigna SSL authority’s private key is stored in HSM (Hardware Security Module) and hence can never be recovered. This useless file has been removed."
"A visit to the site's revocation list page - which is fully publicly accessible via a standard web browser - allows anyone and everyone to download the private key and other supposedly secret files, potentially enabling the creation of their own valid Certigna-signed SSL certificates," points out Gareth Halfacree.
This private key in the wrong hands can result in malicious pages seemingly possessing valid certificates signed by a trusted certification authority, reassuring potential victims that it's safe to give out their private or financial information or to download offered files.
According to Halfacree, Certigna has been alerted to the fact and has removed the files in question from the website, but has not offered any comment. Since it's possible that the private key has been downloaded by malicious individuals, the only thing for Certigna to do is to revoke it and create another, then reissue all the certificates and sign them with the new key.
UPDATE: Certigna has responded to the issues with the following statement:
"The private key available on the server corresponds to a test certificate used on our website certigna.fr. It is impossible to generate new valid user certificates from this key. Moreover, it is encrypted and is an SSL certificate expired since July 2010. This key does not affect our infrastructure security. The Certigna SSL authority’s private key is stored in HSM (Hardware Security Module) and hence can never be recovered. This useless file has been removed."
No comments:
Post a Comment