Tuesday, September 21, 2010

Let's go find some Private keys

I love it when people use a technology without thinking first. I deal with security software like PGP all day at my job and its ins and outs have become pretty routine for me. One of the first things you do after installing PGP is to create your public/private key pair. Once that is done, you can export your public key and share it with whomever you need to.

Your public key is just that, "PUBLIC". Which means it is fine to share it with the world. But your other key in the pair is your "PRIVATE" key. This keys should NEVER leave your system. It is typically protected with a password and is for your eyes only.

What I love is how many people don't think of this or even read up on the best practices before putting their keys out there.

If you do a search on the internet for the following: "BEGIN PGP PRIVATE KEY BLOCK filetype:asc" (without the double quotes around it), you will find a plethora of completely unsuspecting people and organizations that have no idea that their private key is out there for the world to download and abuse.

My suggestion to all of you is to create a new key pair and then export your public key, WITHOUT your private key. Because you shared it already, it is now compromised and you cannot ensure the nobody brute force hacked your password.

No comments:

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.