Slashdot Mirror

← Back to Stories (view on slashdot.org)

Database of Private SSL Keys Published

Posted by CmdrTaco on from the but-those-are-secret dept.

Trailrunner7 writes "A new project has produced a large and growing list of the private SSL keys that are hard-coded into many embedded devices, such as consumer home routers. The LittleBlackBox Project comprises a list of more than 2,000 private keys right now, each of which can be associated with the public key of a given router, making it a simple matter for an attacker to decrypt the traffic passing through the device. Published by a group called /dev/ttyS0, the LittleBlackBox database of private keys gives users the ability to find the key for a specific router in several different ways, including by searching for a known public key, looking up a device's model name, manufacturer or firmware version or even giving it a network capture, from which the program will extract the device's public certificate and then find the associated private SSL key."

8 of 200 comments (clear)

  1. Re:Great Work! by bunratty · · Score: 5, Insightful

    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?

    --
    What a fool believes, he sees, no wise man has the power to reason away.
  2. Good... by bhsx · · Score: 3, Insightful

    Until Linksys, D-Link, Netgear, et al get their collective heads out their arses, these types of tools are great for pen testing small business networks. Personally, I can't wait for the Android app; maybe I could hack one together and get it out there...

    --
    put the what in the where?
  3. Re:Great Work! by gstoddart · · Score: 5, Insightful

    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?

    No, like most people who say that ... he only supports someone else's information being made public.

    --
    Lost at C:>. Found at C.
  4. Re:Great Work! by Neil_Brown · · Score: 5, Insightful

    Information shouldn't be kept private

    ...says the person choosing to post anonymously, thereby keeping information private?

  5. Misleading? by spankers · · Score: 3, Insightful

    From the article: "...making it a simple matter for an attacker to decrypt the traffic passing through the device". I'd think it would only be *to* the device.

  6. Re:Great Work! by migla · · Score: 1, Insightful

    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?

    No, like most people who say that ... he only supports someone else's information being made public.

    There's a difference between exposing information about the misuse of power by a powerful individual or organization and information that only exposes a little person for abuse.

    If absolutely all information wants to be free in some sci-fi quantum future, we'd better see to it that we go there with the big baddies transparent before they have all the dirt on all of us little regular people.

    We do this by exposing the big bad lies while fighting to keep our little secrets.

    --
    Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
  7. Re:Great Work! by Per+Wigren · · Score: 3, Insightful

    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?

    Not the same. This is more like calling the emperor naked. The bad guys already know that "security" is often just a theatre. This is just a blunt way to raise awareness of that fact and force vendors to start taking security more seriously.

    --
    My other account has a 3-digit UID.
  8. Re:what? by Belial6 · · Score: 3, Insightful

    If you cannot trust the key that the bank physically hands you, the bank has already been comprimised, and there is NO security that you can take to prevent abuse of the bank's system. The OP didn't say that it would provide absolute security from every possible way your accound could be hacked. Nothing ever will. It DOES remove a significant vector of attack.