Researchers Find Same RSA Encryption Key Used 28,000 Times

itwbennett writes In the course of trying to find out how many servers and devices are still vulnerable to the Web security flaw known as FREAK, researchers at Royal Holloway of the University of London found something else of interest: Many hosts (either servers or other Internet-connected devices) share the same 512-bit public key. In one egregious example, 28,394 routers running a SSL VPN module all use the same 512-bit public RSA key.

So Out Them!

[bill_mcgonigle]

"That's just laziness on the part of a manufacturer," Paterson said in a phone interview. "This is cardinal sin."

Then it deserves at least social shaming and ostracism, if not worse than those minor responses to venial sins. Protecting the manufacturers only creates an environment where the incentives are aligned for them to do it again. If manufacturers aren't keenly aware that they need to protect their reputation, then they will cut every corner that doesn't provide them a competitive advantage.

So easy to find

[kooky45]

Just scanned the /16 next to my home broadband and found a number of repeated certificate hashes and all belonging to systems identifying themselves as

*.myfoscam.org/organizationName=ShenZhen Foscam Intelligent Technology Co,Ltd

Seems to be a network enabled camera.

Re:So easy to find

[kooky45]

And done the /8 now and another common ones are

commonName=UBNT/organizationName=Ubiquiti Networks Inc.

commonName=TS Series NAS/organizationName=QNAP Systems Inc.

commonName=Vigor Router/organizationName=DrayTek Corp.

commonName=homenet.telecomitalia.it/organizationName=TELECOM ITALIA SPA

commonName=localdomain/organizationName=Axentraserver Default Certificate 863B4AB

In fact, there are duplicate hashes appearing all over the place so it's an endemic problem.