[SSL Observatory] Duplicate private keys

Andy Isaacson adi at hexapodia.org
Tue Apr 5 01:16:35 PDT 2011 

On Tue, Apr 05, 2011 at 12:19:29AM -0700, Andy Isaacson wrote:
> On Mon, Apr 04, 2011 at 11:35:55PM -0700, Chris Palmer wrote:
> > On Apr 4, 2011, at 7:02 PM, Andy Isaacson wrote:
> > 
> > > There are thousands of certs in the observatory with duplicate public
> > > exponent values but distinct, valid Subject strings.  The most
> 
> [as pointed out, I meant duplicate modulus.]
> 
> > > promiscuous public exponent is present in 780 distinct certificates (all
> > > with distinct CN= strings).  The ones I checked appear to be low-rent
> > > but legitimate commercial websites.  They're not all hosted on the same
> > > IP netblock or ISP.
> > 
> > Are these possibly also among the weak Debian keys? That might explain
> > the re-use.
> 
> No, the most frequent Debian bad key I could find only had 2 instances
> in valid_certs.

Looking into it a bit further...

Many of the duplicates are clearly multiple hosts within a single
organization.  Poor practice, certainly, but not as dramaticly bad as
the cross-org examples.

Many of the cross organizational examples I've seen are all signed by a
single CA.  For example a few dozen auto parts websites with the same
modulus, and X509 subject members:

OU=Hosted by Secure SSL Network, OU=Comodo InstantSSL

Others are almost certainly due to badly implemented software; there are
several hundred certs for the same modulus for a particular "secure
hosted webmail" product (all the domains point into the same netblock,
too, so perhaps this is another example of the "multiple hosts within a
single organization" anti-pattern.)

Some appear to be embedded products such as storage servers; in one case
at hand, the product appears to have generated 2200 distinct private
keys but also a heavy tail:

|         c | RSA Public Key:Modulus
|         3 | 00:da:c9:12...
|         3 | 00:b3:79:2f...
|         4 | 00:cb:50:1a...
|         5 | 00:e8:94:2f...
|         8 | 00:ad:c7:dc...
|         8 | 00:af:52:08...
|         8 | 00:b8:2e:c1...
|        11 | 00:b9:e1:fb...
|        18 | 00:ba:8e:e7...
|        28 | 00:ad:ab:f1...
|        31 | 00:9d:12:7b...
|        63 | 00:b6:6c:1c...

Perhaps due to a low entropy condition during first-boot key generation?

There are a few -- I've only seen two or three so far -- EV certs with
the same modulus as a non-EV cert.  I wonder if that's even explicitly
prohibited by the EV spec, I certainly never would have thought of such
a broken way to do it.

-andy

More information about the Observatory mailing list