Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Accidentally Publishes Private Code Signing Keys

Posted by timothy on Thursday September 17, 2015 @06:19AM from the oh-is-that-in-the-firmware? dept.

New submitter bartvbl writes: As part of the GPL license, D-Link makes its firmware source code available for many of its devices. When looking through the files I accidentally stumbled upon 4 different private keys used for code signing. Only one — the one belonging to D-Link itself — was still valid at the time. I have successfully used this key to sign an executable as D-Link. A Dutch news site published the full story (translated to english with Google Translate).

1 of 67 comments (clear)

Min score:

Reason:

Sort:

Re:Revoked the keys, but is this still exploitable by dlenmn · 2015-09-17 07:42 · Score: 4, Informative

Google Chrome no longer even bothers, ignoring revocation lists completely.
That's not quite what your article says. It says that google stopped checking with the cecurity authority using the Online Certificate Status Protocol. However, the article also says that chrome replaced that with a local list of revoked certificates that can be updated without restarting the browser. So, chrome still does keep track of revoked certificates.