Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Encryption The Internet Technology

Database of Private SSL Keys Published 200 200

Trailrunner7 writes "A new project has produced a large and growing list of the private SSL keys that are hard-coded into many embedded devices, such as consumer home routers. The LittleBlackBox Project comprises a list of more than 2,000 private keys right now, each of which can be associated with the public key of a given router, making it a simple matter for an attacker to decrypt the traffic passing through the device. Published by a group called /dev/ttyS0, the LittleBlackBox database of private keys gives users the ability to find the key for a specific router in several different ways, including by searching for a known public key, looking up a device's model name, manufacturer or firmware version or even giving it a network capture, from which the program will extract the device's public certificate and then find the associated private SSL key."
This discussion has been archived. No new comments can be posted.

Database of Private SSL Keys Published

Comments Filter:
  • Re:Great Work! (Score:5, Insightful)

    by bunratty (545641) on Monday December 20, 2010 @11:08AM (#34615420)
    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?
  • Good... (Score:4, Insightful)

    by bhsx (458600) on Monday December 20, 2010 @11:09AM (#34615432)
    Until Linksys, D-Link, Netgear, et al get their collective heads out their arses, these types of tools are great for pen testing small business networks. Personally, I can't wait for the Android app; maybe I could hack one together and get it out there...
  • Re:Great Work! (Score:5, Insightful)

    by gstoddart (321705) on Monday December 20, 2010 @11:12AM (#34615472) Homepage

    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?

    No, like most people who say that ... he only supports someone else's information being made public.

  • Re:Great Work! (Score:5, Insightful)

    by Neil_Brown (1568845) on Monday December 20, 2010 @11:16AM (#34615498) Homepage

    Information shouldn't be kept private

    ...says the person choosing to post anonymously, thereby keeping information private?

  • Misleading? (Score:3, Insightful)

    by spankers (456500) on Monday December 20, 2010 @11:25AM (#34615586)

    From the article: "...making it a simple matter for an attacker to decrypt the traffic passing through the device". I'd think it would only be *to* the device.

  • Re:Great Work! (Score:2, Insightful)

    by migla (1099771) on Monday December 20, 2010 @11:34AM (#34615670)

    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?

    No, like most people who say that ... he only supports someone else's information being made public.

    There's a difference between exposing information about the misuse of power by a powerful individual or organization and information that only exposes a little person for abuse.

    If absolutely all information wants to be free in some sci-fi quantum future, we'd better see to it that we go there with the big baddies transparent before they have all the dirt on all of us little regular people.

    We do this by exposing the big bad lies while fighting to keep our little secrets.

  • Re:Great Work! (Score:4, Insightful)

    by Per Wigren (5315) on Monday December 20, 2010 @11:41AM (#34615730) Homepage

    So you'll have no problem posting all your passwords, social security number, bank account numbers, and so on publicly, then. Right?

    Not the same. This is more like calling the emperor naked. The bad guys already know that "security" is often just a theatre. This is just a blunt way to raise awareness of that fact and force vendors to start taking security more seriously.

  • Re:what? (Score:4, Insightful)

    by Belial6 (794905) on Monday December 20, 2010 @01:14PM (#34617124)
    If you cannot trust the key that the bank physically hands you, the bank has already been comprimised, and there is NO security that you can take to prevent abuse of the bank's system. The OP didn't say that it would provide absolute security from every possible way your accound could be hacked. Nothing ever will. It DOES remove a significant vector of attack.

"Everything should be made as simple as possible, but not simpler." -- Albert Einstein

Working...