26

What can an attacker do with a stolen website certificate and key?

What should the website admin do upon learning this?

Bruno
  • 10,875
  • 1
  • 39
  • 61
Ron Garrity
  • 361
  • 1
  • 3
  • 3

2 Answers2

27

Attack Vectors

If an attacker uncovers your SSL private key, you are minimally vulnerable to the following attacks:

1) Traffic Eavesdropping

To the attacker, everything being sent over SSL can be decrypted and should consequently be thought of as cleartext. This means passwords, credit card numbers, and other Personal and Private Information is vulnerable to being either harvested or leveraged against you as the attack escalates.

2) Man-In-The-Middle

Part of the reason to use an SSL certificate is to uniquely authenticate yourself to the clients connecting to your server. If the private key is stolen, a hacker can create a Man-In-the-Middle attack where data flowing either from the server-to-client or client-to-server is modified in-transit. This could be done to ask a user to reauthenticate (and thereby surrender their password), ask for a credit card number, or implant malware into file downloads.

As you can see, if someone has compromised your SSL certificate, they can quickly escalate the attack to either gain unauthorized access to your system or attack you or your users.

How to Recover

If a private key compromise is suspected, one should add the SSL Certificate to the Certificate Revocation List (CRL). This will alert other participants in the Public Key Infrastructure (PKI) that the certificate in question can no longer be trusted. In order to do this, you will usually need to login to the account you created with the Certificate Authority (CA) who issued the SSL Certificate or otherwise notify them of the suspected breach. Godaddy provides instructions for this online, as does Network Solutions.

With the SSL certificate revoked, you will need to again go through the process of generating a new certificate and private key in order to re-enable SSL services for your web site or application.

If your site has been breached, I would recommend recovering in the following steps:

  1. Shutdown the compromised service. It is generally not advisable or ethical to leave yourself or your users at risk while you fix things.
  2. Revoke the SSL Certificate. By adding the certificate to the CRL, you're notifying the world that it can no longer be trusted. This should be done as soon as possible.
  3. Determine the cause of the Breach and Patch the Problem. It will do you no good to revoke and reissue the certificate if you don't know how you were compromised in the first place. Try to figure this out so that before you put everything back online you aren't simply compromised again. Fix the issue.
  4. Generate a New SSL Certificate. As mentioned above, you'll need to generate a new certificate in order to bring things back online securely.
  5. Resume Services. After you've addressed the root cause of the security breach, revoked the certificate, and generated a new cert from scratch, you should be good to bring things back online.
  6. Notify Users / Stakeholders. It is considered a best practice to provide full disclosure and notify those who may have been damaged by the breach of what happened. In some industries (such as healthcare) this may even be required by law. However, at this point you should defer to corporate/government policy for specifics.
Mark
  • 1,330
  • 1
  • 11
  • 13
  • 4
    "1) Traffic Eavesdropping" That only works for bad ciphersuites (which many people still use). If you use a secure ciphersuite you're immune to this. – CodesInChaos Jun 30 '12 at 13:16
  • 2
    @Mark, no, SSL/TLS encryption is done using symmetric keys. Asymmetric keys are only used for authentication (see [links here](http://security.stackexchange.com/a/14083/2435)). – Bruno Jun 30 '12 at 21:00
  • @Bruno I stand corrected. Ignorance removed. – Mark Jun 30 '12 at 22:18
  • 1
    Great answer and explanation on what are the priorities and what to do when the private key is disclosed to third parties. – David Refoua May 31 '18 at 06:26
7

What can an attacker do with a stolen website certificate and key?

Attackers in possession of the private key can:

  • Impersonate the website, if they are also in a position to perform an active MITM attack (i.e. alter the traffic coming from the client, so as to redirect the request to their server).

  • Look inside traffic they can eavesdrop (without necessarily having to alter the traffic), if a cipher suite that doesn't provide Perfect Forward Secrecy (Ephemeral Diffie-Hellman cipher suites aim to provide PFS) is used.

What should the website admin do upon learning this?

They should contact their Certification Authority to revoke the CA, and get a new one (with a new key part). Once revoked, clients checking for revocation (via CRL or OCSP) shouldn't accept the old certificate. (Clients that do not check this will still be vulnerable, until the expiry of the certificate.)

Telling users that this incident happened isn't a bad idea, at least to encourage them to check their browsers check for revocation (and perhaps take necessary action, should they suspect some of their communication have been vulnerable).

Note that, if the attackers have recorded past communications using that certificate and that a non-PFS cipher suite was used at the time, the attackers should be able to decipher those past communications with the private key.

Community
  • 1
Bruno
  • 10,875
  • 1
  • 39
  • 61
  • 1
    "Impersonate the website, if they are also in a position to perform an active MITM attack" - Doesn't this mean that the attacker would have to somehow reconfigure the DNS entry for the server from which the certificate and private key were stolen in order to use the stolen certificate and private key ON ANOTHER COMPUTER to impersonate the website? If so, isn't the risk of losing a server certificate and private key minimal? – Bill Vallance Jun 22 '20 at 13:43
  • 1
    @BillVallance There's a number of ways this can happen. For example, if the attacker gets people to connect to a wifi they run: that could happen if you're in a public environment and they run a spare wifi network and trick you to connect to it instead of the official one. – Bruno Jun 22 '20 at 14:17
  • 1
    But the DNS record for the server whose certificate and private key are being used by the hacker to impersonate the server's website would have to be modified in order for the client to be redirected to the fake website server, correct? The DNS record for the real website is associated with the IP address of the real server. The hacker could forge the real website's certificate but they can't "forge" the real server's domain/IP address association in the server's DNS record UNLESS THEY'VE ALSO HACKED THE SERVER'S ROUTER AND MODIFIED ITS DNS ADDRESSING. Correct? – Bill Vallance Jun 22 '20 at 18:17
  • 1
    @BillVallance Sure they can, if you connect via a hostile router, that router can redirect you to whatever it likes, whether it spoofs the DNS or not. – Bruno Jun 22 '20 at 20:15
  • Yes, I understand about a hostile router. The hacker will modify the DNS entry for the real server on the router that the hacker controls so that the unsuspecting client is detoured from the real web server to the hacker's server. At the end of the day, some form of DNS manipulation has to take place to be able to use a stolen server certificate and its private key to impersonate a website. If that's true (please weigh in on that), then the risk associated with using stolen server PKI credentials is a function of being able to successfully manipulate DNS. Correct? – Bill Vallance Jun 23 '20 at 00:15
  • 1
    @BillVallance Not really, the hostile router could keep the correct DNS entry, but intercept/replace the traffic to the correct IP address with its own, pretending to come from that IP address. – Bruno Jun 23 '20 at 09:25
  • The purpose of my questions is to assess how much effort a hacker has to expend to successfully impersonate a website whose certificate and private key they have stolen. What I'm understanding now is that it is going to take a DETERMINED hacker to pull off website impersonation. At a high level, in addition to stealing a website's server PKI credentials, the hacker will have to figure out and implement some method to reroute client traffic sent to the legitimate website server to its own server (whether by DNS hijacking, traffic rerouting, etc.). Is this correct? – Bill Vallance Jun 23 '20 at 13:29