Loading…
THE MUST ATTEND EVENT FOR CYBERSECURITY PROFESSIONALS
Friday September 27, 2024 11:30am - 12:15pm PDT
TLS Certificates are re-using private keys by the millions. We'll demonstrate that key re-use in TLS certificates is systemic and undermines one of the foundational protections offered in modern web security


We looked at 7 billion certs logged in Certificate Transparency and found millions of certs re-using private keys. We identified orgs like Verizon that re-used the same key for 10 years, despite revoking it in the first year! We found cases of organizations continuing to re-use the same private key to issue new certs, despite having had that key compromised. Picture a short lived cert that only lasts 90 days, but the same key is re-used on all future certs for a decade 

We also analyzed SSH key re-use for authentication to GitHub. We looked at 58 million GitHub user’s keys and found >100k SSH keys re-used between multiple GitHub account


We’ll show the extent of private key reuse, show re-use of keys from revoked certificates, and open-source a tool to identify certs that reuse private keys. We'll provide examples of common cert generation frameworks that repeatedly use the same key, despite the security risks


Keys are even sometimes used for TLS certs and repurposed as SSH keys on GitHub 

This talk dives deep into a world of systemic private encryption key re-use, the dangers, and current threats it poses

Speakers
avatar for Dylan Ayrey

Dylan Ayrey

CEO, TruffleHog
Dylan is the original author of the open source version of TruffleHog, which he built after recognizing just how commonly credentials and other secrets were exposed in Git. Coming most recently from the Netflix security team, Dylan has spoken at a number of popular information security... Read More →
JL

Joseph Leon

Security Researcher, Truffle Security
Joe Leon is a security researcher at Truffle Security where he works to identify new sources of leaked secrets and contributes to the open-source security community. Previously, Joe led application security assessments for an offensive security consulting firm. Joe has taught technical... Read More →
Friday September 27, 2024 11:30am - 12:15pm PDT
Room: Seacliff AB
Feedback form is now closed.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Share Modal

Share this link via

Or copy link