As you’ve no doubt heard, Dell recently made a monumental security screw-up. In an effort to make life easier for the company’s support services, it included a trusted public TLS certificate in the root certificate store of certain models of PC. It also included the private key used to generate that certificate. Because the private key is accessible, anyone with a shred of technical ability can use it to sign certificates that will be automatically trusted by machines with the so-called eDellRoot certificate installed.
Usually, we get SSL certificates from a vendor that has a relationship with a Certificate Authority. Those certificates are trusted by browsers because they’re signed with the Certificate Authority’s root certificate (or some derivative of it). That’s how the certificate system works: certificate authorities validate the identity of the site owners, and browsers trust the CAs. Browsers know to trust the CAs because they have copies of the CA’s public certificates in their certificate store and can use them to verify that a certificate has been properly signed by the CA’s private key.
The Dell certificate essentially bypasses the CA process for machines with it installed. And because the private key is freely available, anyone can create a certificate for a site that will be trusted by machines with the Dell certificate installed on it..
SSL helps prevent man-in-the-middle attacks, but by using a certificate signed by the Dell private key, an attacker can act as a proxy between the the user and the secure site. They can decrypt information flowing in both directions.
“If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications,” said Robert Graham, the CEO of security firm Errata Security. “I suggest ‘international first class,’ because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.”
In the web hosting world, we think of SSL as a way to encrypt information traveling between browser and site, but binary signing is a crucial part of secure application installations and upgrades. Because the rogue certificate was placed in the root certificate store of the operating system, the associated private key can be used to sign software which the OS could conceivably be influenced to install. That’s a great opportunity for a hacker.
Obviously, this wasn’t a smart move by Dell, and browser and OS developers are scrambling to neutralize the potential risks. I’m more interested in using this lapse of good sense as an object lesson in what can go wrong when organizations aren’t careful with the private keys they use to sign certificates.
Many companies insert root certificates into the machines they give employees; if the company’s private keys ever find their way into the wild, those companies will be in the same position as Dell’s users are in today. Public key cryptography is a powerful security technology, but it’s worthless if organizations are careless with the private keys.