OWASP 2024 Global AppSec San Francisco

TLS Certificates are re-using private keys by the millions. We'll demonstrate that key re-use in TLS certificates is systemic and undermines one of the foundational protections offered in modern web security


We looked at 7 billion certs logged in Certificate Transparency and found millions of certs re-using private keys. We identified orgs like Verizon that re-used the same key for 10 years, despite revoking it in the first year! We found cases of organizations continuing to re-use the same private key to issue new certs, despite having had that key compromised. Picture a short lived cert that only lasts 90 days, but the same key is re-used on all future certs for a decade 

We also analyzed SSH key re-use for authentication to GitHub. We looked at 58 million GitHub user’s keys and found >100k SSH keys re-used between multiple GitHub account


We’ll show the extent of private key reuse, show re-use of keys from revoked certificates, and open-source a tool to identify certs that reuse private keys. We'll provide examples of common cert generation frameworks that repeatedly use the same key, despite the security risks


Keys are even sometimes used for TLS certs and repurposed as SSH keys on GitHub 

This talk dives deep into a world of systemic private encryption key re-use, the dangers, and current threats it poses