A French provider of SSL certificates appears to have made a bit of a boo-boo in its webserver configuration: publishing its private key for the world to see, and opening up a potentially serious security hole in the world’s web browsers.
SSL certificates serve two purposes on the Internet: to encrypt information, and to verify a webserver’s identity. An SSL certificate is what is used to keep the password you log in to your Internet banking site private, and also serves to ensure that you’re genuinely logging in to the bank’s own server.
This latter function requires that certificate providers don’t issue certificates willy-nilly, instead verifying that the person requesting the certificate has some control over the domain in question. This can be as difficult as a long-winded meetings with business executives, and as simple as placing a secret file somewhere on the web server.
To prevent random users from generating their own trusted certificates, each SSL certificate provider has a ‘private key.’ This is a piece of code which is kept completely secret, and which is used to sign each issued SSL certificate to validate that it has been issued by a trusted authority. These keys are usually closely guarded, as any certificate signed by the key from a trusted authority will be implicitly trusted by a web browser without display any warning messages.
Sadly, French SSL specialist Certigna appears to have failed to keep its secret under lock and key. A visit to the site’s revocation list page – which is fully publicly accessible via a standard web browser – allows anyone and everyone to download the private key and other supposedly secret files, potentially enabling the creation of their own valid Certigna-signed SSL certificates.
It’s a major security breach, and one of which the company appears unaware as they didn’t react to this issue yet.