Database of Private SSL Keys Published

Trailrunner7 writes "A new project has produced a large and growing list of the private SSL keys that are hard-coded into many embedded devices, such as consumer home routers. The LittleBlackBox Project comprises a list of more than 2,000 private keys right now, each of which can be associated with the public key of a given router, making it a simple matter for an attacker to decrypt the traffic passing through the device. Published by a group called /dev/ttyS0, the LittleBlackBox database of private keys gives users the ability to find the key for a specific router in several different ways, including by searching for a known public key, looking up a device's model name, manufacturer or firmware version or even giving it a network capture, from which the program will extract the device's public certificate and then find the associated private SSL key."

The cost of CA-signing each key

[tepples]

I'm vaguely shocked that any home routers would be using hardcoded private keys. That would be like every Schlage front door knob having identical keys.

But I can guess why it probably happened. Before StartCom started offering a gratis SSL certificate to the owner of a domain, it cost a substantial chunk of change to get an HTTPS server's public key signed by a certificate authority on the major web browsers' root CA lists. So instead, home web appliance makers used one key, got it signed once, and shipped it in every device of a given model. In order to generate individual keys per device, an appliance maker would have had to A. include the price of a CA-signed SSL certificate in the wholesale price, B. include a CD that installs the appliance maker's root certificate (and hear whining from Mac/Linux users that the EXE doesn't run), or C. register as a CA with each of the major web browser makers.