Hacker Read

paulryanrogers · 2020-01-19 02:47:36+00:00

Makes sense assuming that authority doesn't leak their private keys like a sieve.

danuker | karma 6850 | avg karma 2.78 · | 2022-02-25 07:16:15

Hopefully they have good security around the private key.

JoshTriplett | karma 44606 | avg karma 4.76 · | 2011-08-29 20:34:59+00:00

Either that or they've got the cooperation of someone who has access to that private key, potentially the CA itself. But a compromise seems more likely in this case.

progman32 | karma 1400 | avg karma 3.12 · | 2022-09-15 11:50:39

Okay, then they leak their private key.

catshirt | karma 2358 | avg karma 2.07 · | 2014-04-16 01:35:42

ah, right. i didn't consider that their private key could have been leaked if they were once vulnerable (i was only considering passwords and the like). good point, thanks!

mqus | karma 1101 | avg karma 3.23 · | 2021-10-03 19:04:51

They have numerous private keys precisely because of leakage risk. In that case only one (or two) of them will get leaked (and then hopefully revoked), leaving the others intact.

incongruity | karma 2204 | avg karma 4.1 · | 2016-01-07 16:21:34+00:00

Actually... that'd be a private key.

webreac | karma 649 | avg karma 1.67 · | 2017-07-29 10:10:51

I am surprised private keys have never leaked.

jimktrains2 | karma 5467 | avg karma 1.89 · | 2013-05-02 17:51:01

FWIW they claim the private key was encrypted. Granted, having it air-gapped as much as possible is even better.

currere | karma 34 | avg karma 1.89 · | 2012-02-15 14:47:49+00:00

Better yet, they can just publish something encrypted with every compromised public key. Only people with the corresponding private keys can ascertain if they're compromised.

LouisSayers | karma 1230 | avg karma 2.36 · | 2015-09-25 16:05:25

Except where they have a warrant and reach their dirty little fingers into certificate authorities. Unless you're doing key exchange yourself I would assume nothing is truly private.

Cpoll | karma 1806 | avg karma 2.64 · | 2020-01-07 22:45:22

I wonder why they do that instead of asking for access to the private keys.

enraged_camel | karma 16714 | avg karma 2.78 · | 2015-07-22 20:38:44+00:00

Either that, or they will simply intimidate and even torture people for their private keys.

May sound far-fetched, but it isn't.

reply

dan1234 | karma 4634 | avg karma 4.92 · | 2022-08-06 06:18:54

If it did leak, why wouldn’t they just revoke and then reissue the valid passports with a new private key?

The same argument could be made about the possibility of a CA’s key being leaked.

reply

poundofshrimp | karma 174 | avg karma 2.0 · | 2021-03-15 15:03:41

Just give the government a copy of the private key. What could go wrong? It’s not like anyone is hacking into the government these days.

heckerhut | karma 216 | avg karma 1.86 · | 2021-02-06 10:17:46

Sure, ok, so they have an encrypted version of the private key!?

_jomo | karma 4099 | avg karma 8.37 · | 2015-06-24 22:27:52

this shouldn't be an issue when the clients share the private key.

ateesdalejr | karma 111 | avg karma 0.63 · | 2018-02-22 18:08:00

The government? Or the creator? If it were the creator I'm sure that the creator would have the common sense to pregenerate and store the private keys somewhere safe.

artofcode | karma 232 | avg karma 7.48 · | 2016-11-30 11:05:28+00:00

Exactly. And think about private keys for SSL certificates. I'm not even sure if those are covered by the legal wording, but I wouldn't be surprised if they were.

lhotkins | karma 8 | avg karma 0.47 · | 2019-05-29 11:34:07

If it's true I'm really curious how they did this. Probably they got the private key somehow?