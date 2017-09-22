Adobe Security Team Accidentally Posts Private PGP Key On Blog (arstechnica.com) 21
A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.
How the hell did their PGP key even end up on their webserver?!?!?
The summary was all of 7 sentences; 3 of them were dedicated to the answer to this very question.
That's a key point and a key contributor to Internet insecurity. One could argue that, to make it 'perfect', the designers of PKI have made it unusable by the average user. And the OS vendors (Microsoft, Apple and Linux community) have not helped. Nor have the purveyors of PKI credentials, again to make trust "absolute", the cost and 'annoyance overhead' makes getting your own key too difficult for anyone short of a fully qualified IT department with PKI expertise.
As much as I hate Adobe and most of their shitware, I don't think it's fair to totally fault the poor person who did this.
But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file.
If a mistake of this magnitude is a single misclick away from happening - something that's really easy to do in a moment's careless mistake of the type EVERYONE has - something is broken with that UI.
There should be warnings in red you have to override with an explicit and nontrivial action.
Adobe has such a long history of putting security first and demonstrating security best practices! How could this sort of thing happen? Or is it because a typical Adobe employee doesn't know the difference between private key and a hole in the ground.