[thelist] Certificate Theft ramifications

Paul Cowan paul at wishlist.com.au
Tue Mar 5 17:26:00 CST 2002


Hi Joshua,

> If someone was able to steal an ecommerce website's certificate request
> (certreq,txt) and certificate (cert.txt), what sort of things could
> potentially be exploited.

SSL Certificates currently really serve two purposes: authentication
and encryption. The cert for a store both encrypts all the data going
back and forth to the server, and makes sure that the user knows that
the server they're dealing with (eToenailClippersOnline.com) actually
belongs to the business called Toenail Clippers Pty Ltd., of Wagga
Wagga, Australia, so they know they can trust it (or not, as the
case may be).

If someone manages to steal the private key half of a certificate [1],
then they can theoretically do 2 things:

1) Impersonate the site. They could set up another site which looks
exactly like eToenailClippersOnline.com, and people might be drawn
into it by some sort of chicanery, and they would have no reason
to doubt that they were giving their credit card details to
Toenail Clippers Pty Ltd. -- though they're actually giving them
to Bob's House Of Evil, Inc. Hilarity ensues.

2) (more importantly) Decrypt any traffic which is encrypted with
the corresponding public key. Ordinarily, if I'm "listening in" to
SSL-encrypted communications (not *necessarily* that difficult), I
can't work out what's being "said", because I need the private key
to decrypt the message. If I have that key, I could hypothetically
decrypt any encrypted messages I can find, and hence steal
customer's details as they wing their merry way to the
eToenailClippersOnline.com server. Hilarity and lawsuits ensue.

Net result: make sure you safeguard all the files for your certificate.

Hope this helps,

Paul

[1] see http://developer.netscape.com/tech/security/ssl/howitworks.html for
a quick explanation of public vs. private keys



More information about the thelist mailing list