Follow

Inadvertent Disclosure of SSL Keys

SSL/TLS private keys are sometimes accidentally disclosed, in circumstances including: 

 

- The private key is attached to an unencrypted email

- The private key is uploaded into a support ticket as an unencrypted attachment

- Key is stored on an unencrypted laptop or backup drive which is lost or stolen

- Key is stored on a shared network drive accessible to non-essential users

 

Any scenario in which the private key is disclosed, illegally accessed, or exposed to illegal access, should be considered an Inadvertent Disclosure; requiring a recovery process. 

Resulting risk and potential impact may range from inconsequential, to severe depending on circumstances, and the nature of the key disclosed. 

 

Recovery process should include the following:

 

- Containment:

  • If possible, erase the key from all exposed storage locations.
  • Revoke the certificate with the issuing authority (SSL/TLS may stop working until a new certificate is obtained and the revoked certificate is replaced)

- Restoration:

  • Obtain a new version of the certificate by recreating the Certificate Signing Request (CSR) and reprovisioning (many certificate authorities do not charge a fee for this).
  • Ensure that the revoked certificate is replaced by the new cert and keys in all relevant locations 
  • Ensure that the new certificate and keys are stored and transmitted according to secure practises. For sending keys to RedShield, please observe the following notes: 

https://support.redshield.co/hc/en-gb/articles/207523493-Securely-Exchanging-Files-and-Data-with-RedShield

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments