AnsweredAssumed Answered

Private Key Leakage

Question asked by Michael Peters on Sep 5, 2015
Latest reply on Sep 6, 2015 by Adm Selec

Serious bug causes “quite a few” HTTPS sites to reveal their private keys | Ars Technica

 

Not the first time I have seen that kind of bug referenced, and one of the reasons why it is important to generate a new private key at least once a year just as common practice.

 

But is there a mechanism by which we can test whether our servers are potentially vulnerable to that type of key leakage? I understand getting the key that way is like hitting the lottery, but agencies like the NSA and very large companies that have slogans about not being evil have the resources to just watch for the bug to happen.

 

It seems to me, from what I have read, that this is more likely to be an issue with RSA private keys, is that the case? Maybe it is time to start moving towards ECDSA private keys now, but many CAs still don't sign them. Perhaps if there was more demand they would start...

 

I don't think any of my private keys have been exposed via this type of bug, but honestly how would I know?

Outcomes