Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com)

Posted by BeauHD on from the whoopsie-daisy dept.

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.

3 of 60 comments (clear)

  1. UI failure by Anonymous Coward · · Score: 4, Insightful

    As much as I hate Adobe and most of their shitware, I don't think it's fair to totally fault the poor person who did this.

    But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file.

    If a mistake of this magnitude is a single misclick away from happening - something that's really easy to do in a moment's careless mistake of the type EVERYONE has - something is broken with that UI.

    There should be warnings in red you have to override with an explicit and nontrivial action.

  2. Re:"PGP security is harder than it should be." by gweihir · · Score: 3, Insightful

    Actually, it is not. Just as with the functioning of a house-key, there is a minimal understanding that is required for public-key crypto, or security will not be provided. Yes, that means many people cannot have secure encryption. That is just the way things are. Wishing things to be different does not change them.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Poof by jonnythan · · Score: 3, Insightful

    And just like that, all email ever encrypted with that key is subject to decryption.