nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
NBD: Adobe just dumped its private PGP key on the internet

Not in the least surprised

Adobe has er "form" when it comes to appalling lapses in security. At one time, it was able to boast responsibility for the world's biggest customer data bend-over-and-cheek-spread.

35
0
Silver badge

Plus ça change, plus c'est la même chose

Adobe caught in imbecilic security blunder.

In other news, Pope suspected of Catholicism...

51
0
Silver badge
Joke

Re: Plus ça change, plus c'est la même chose

To rephrase this Adobe style, "Is the Bear a Catholic? Does the Pope ..."

7
1
Silver badge

Adobe and Security seems to be two words that never go well together.

16
0
Silver badge

They go pretty well together as long as the word 'lapse' is in there as well.

1
0
Silver badge
FAIL

Oh well ....

Adobe caught with its trousers down ....

Flashing it's private key around ....

Young man, if that's all you've got to boast about ....

12
0

Also all,previous data

This key would also allow decryption of all emails, archived data, etc. that was sent out any time in the past.

34
0
Silver badge

Re: Also all,previous data

Maybe I am mistaken; I thought the related public key would do the decryption.

Possession of the private key certainly might allow forgery of messages dated before its revocation.

1
26

Re: Also all,previous data

Typically you encrypt with a public key so that only the holders of the private key are able to decrypt it.

You *can* encrypt with a private key, but the only real use case of that is for signing. Signing is basically generating a hash of some content, and then encrypting that hash with the private key so that anyone with your public key can verify that it was you that generate the hash.

17
0
Silver badge

Re: Also all,previous data

Maybe I am mistaken; I thought the related public key would do the decryption.

No, public keys encrypt, private keys decrypt (and sign - for verification of sender id).

Although Adobe will have issued a new key pair, anyone with an archive of mass-trawled email traffic (cough NSA cough) could now decrypt any archive messages, or spoof messages from Adobe to anyone who has not spotted the change in key pair.

33
0
Silver badge

Re: Also all,previous data

I believe I am substantially correct. According to RFC 4880, each recipient's public key is used to encrypt the (symmetric) message encryption key, and each encrypted symmetric key is attached to the encrypted message. A recipient uses her private key to decrypt the a message encryption key, and the latter to decrypt the message body. The sender's private key is used with the hash that represents the message to provide a digital signature, if desired.

So compromise of a private key would allow signing and message spoofing (until the owner - Adobe, here - revokes it and the revocation is noted by recipients) (Reminder to self: refresh keyring periodically). It also, as another poster noted below, would allow decryption of messages directed to the owner of the (formerly) private key, to Adobe in this case.

Although I am inclined to think NSA, some 23 miles away by road, may have copies of messages I have sent, as far as their decrypting them I am more concerned about the recipients' private keys than mine.

1
7
Anonymous Coward

Re: Also all,previous data

i think what probably happened is that they received some sort of NSL and gag order forcing them to disclose the private key for [old] emails sent to/from PSIRT.

Posting the key there works as a warrant canary signalling that the canary is now dead.

https://en.wikipedia.org/wiki/National_security_letter

14
0
Silver badge

Key is five days old @rh587

So whilst you are right that it would allow retroactive decryption of any emails that are signed with it, that's only for the past week assuming it was even deployed the same day it was created. It could well be that posting the public key is part of their deployment protocol meaning it was only actually in use for a few hours. Maybe.

Don't get me wrong, it's a howler. But the practical effect is less than you suggest.

5
0

Re: Also all,previous data

A private key allows decryption of any emails or files being encrypted for Adobe to decode. That means any emails being sent to or from Adobe, typically. Other people use the PUBLIC key to secure the message for the recipient; only the recipient can read it because only the recipient has the PRIVATE key.

5
0
Silver badge

Re: Also all,previous data

Mea culpa. Clearly I got things reversed. Mike Cardwell states it most succinctly and correctly.

7
1

This post has been deleted by its author

Silver badge

Re: Also all,previous data

From the wikipedia reference: "By law, NSLs can request only non-content information, for example, transactional records and phone numbers dialed, but never the content of telephone calls or e-mails."

While there is no guarantee that the issuer of an NSL or requester of a warrant follows the law, it is likely that most do. In the case of a warrant, a judge with some degree of independence reviews and approves it before it is executed.

2
0
Gold badge
FAIL

"Maybe I am mistaken; I thought the related public key would do the decryption."

I see.

So your not just the regular apologist for bulk governmental surveillance.

You're actually quite ignorant of how this technology works as well.

A useful thing to know.

0
2
tfb
Bronze badge

Re: Also all,previous data

It is very likely that any PGP-encrypted message which Adobe sent was also encrypted with their public key, in order that they can later read the message themselves. So possession of their private key will in most cases allow you also to decrypt messages they sent.

There's an interesting tangential point here: if you encrypt a message with PGP or GPG and you are worried that bad people (bad people with legislation) might force you to decrypt it, then encrypt it *only* with the recipient's public key. Then you *can't* decrypt it, even if you wanted to, because it's not encrypted with your public key.

1
0
Bronze badge

Re: Also all,previous data

So, you send out your email encrypting it with the public key? If so... then nobody can read it; unless of course you do what Adobe did, and release the private key.

BOTH keys can encrypt/decrypt. Which does which when... depends on its use.

Hey... you don't happen to work at Adobe do you?

0
1
Anonymous Coward

Pretty funny ...

...that you have to warn about the NSA and miscreants in the same breath.

Or maybe not so funny.

17
1
Happy

Re: Andy Prough Re: Pretty funny ...

"....NSA...." Does even the NSA have the staff and/or facilities to intercept and decode all the vuln emails going to Adobe? Given their "security" track record it's probably a sh*tload of emails daily!

6
2
Silver badge

Irony is thy name

The fact that this little mischief was perpetrated on the Adobe Product Security Incident Response Team's own blog is simply delicious.

I mean, who better, right?

34
0

Wrong

The private key is encrypted. Unless you know the password for it, you can't do any of the things that you're claiming with it.

3
11

Re: Wrong

Password ?

:-)

10
0
Anonymous Coward

Re: Wrong

"Password ?"

Do remember this was on Adobe's Security Response Team site. So they used the much more secure "Password1"

2
0

Re: Wrong

No special characters in that, you must mean Password1?

0
0
Anonymous Coward

Dimwits....

Not even arranged for cached versions of the page to be removed yet either....

7
0
Silver badge

perpetrated...

by a redeployed Flash developer I presume.

8
0
Silver badge
FAIL

Really nothing new

Change the name to A-d'oh!-be

They wrote Flash years ago, didn't they? I rest my case...

3
2
Silver badge

Re: Really nothing new

Nope, Macromedia wrote Flash. Adobe got it when they bought Macromedia.

Adobe's only real creations are what? Photoshop and Illustrator? PDF?

5
1

Re: Really nothing new

Premiere is probably not that widely used but I would say Lightroom is very popular with Photographers. You may find that InDesign is used by many graphic houses for layouts but I wouldn't know about that.

And even then... if they had only created Photoshop... what a creation. Think how many people in the world have job because of that program.

8
0
TRT
Silver badge

Re: Really nothing new

They are also key players in PostScript, typefaces and Illustrator predates Photoshop. There are large chunks of its catalogue, though, that were obtained by acquisition. In fact PostScript is where they began, really. Ha! Remember that code 0 feature that let you permanently disable a printer with a well crafted PostScript file? Ah, Adobe. You spoil us with your security related humour.

10
0

Re: Really nothing new

>> Macromedia wrote Flash

Futuresplash, I think you'll find.

1
0
Silver badge

Re: Really nothing new

"You may find that InDesign is used by many graphic houses for layouts but I wouldn't know about that."
Development of InDesign began at Aldus and was acquired by Adobe when they purchased Pagemaker from them. To say the least InDesign is InDispensible as is Postscript. So it goes...

3
0
Silver badge
FAIL

Fail

No Adode crap in this establishment so smug icon please.

2
2
Anonymous Coward

Re: Fail

No Adode crap in this establishment so smug icon please.

You either have never heard of Omniture, or you never go online.

5
0
Silver badge
Joke

Perhaps they did it on purpose?

Obligatory xkcd reference.

7
0
Anonymous Coward

Re: Perhaps they did it on purpose?

I'm more of a https://xkcd.com/1181/ kind of guy!

1
0
Joke

On purpose?

Maybe they believed the world will end today so why bother?

By the way, the Reg had coverage of the previous end of the worlds like the one in 2012 while this year it absolutely missed the topic. The standards of journalism are slipping all the time.

7
0
Anonymous Coward

Re: On purpose?

Better to wait until the excuses are posted as to why it didn't happen this time. A disjunct with reality never seems to even dent these beliefs. The more strongly your identity is vested in a particular belief - the more dangerous to your being to have to accept it is wrong.

3
0
Silver badge
Alien

Re: On purpose?

Better to wait until the excuses are posted as to why it didn't happen this time.

From what I've read, when they said the world would end, they now claim they meant the world as we knew it would end, and the world from now on will be very different.

Not sure how that fits with claiming a fucking huge (*) previously invisible planet was going to come crashing into us. Badly I would suggest.

(*) Apologies for not remembering what the Official El Reg Unit is. I keep thinking Mega-Jubs. But then I often do :)

2
0
Silver badge

Wasn't it Adobe who had someone arrested for telling them about a vulnerability?

3
0

The key claims to have been created on 2017-09-18. So probably not much was ever done with it.

3
0
Silver badge

Time for a change.

It is high time the "Fail" emoticon was replaced by Nelson Muntz pointing his finger.

Ha HA !!!

2
0

User friendly encryption ?

If the user of a product is aware that they have to do something in order to encrypt or decrypt then their security process isn't user friendly, because a secure process is secure by default. Crypto keys for typical users should be created and stored automatically, e.g. when they register a domain or account, and ideally stored where they're very unlikely to be meddled with by their user, and can't be meddled with by anyone else. Those able to access private keys in the first place need to know what they're doing with them, or these aren't secure.

0
1
Silver badge

Re: User friendly encryption ?

Do it that way and (1) identities get screwed up when users (a) change providers, (b) move, or (c) switch computers; and (2) do you really want to trust the provider?

4
0
Silver badge

Re: User friendly encryption ?

(3)and if the key leaks you're dependent on the provider for a new one.

2
0
Silver badge

Bah!

Internal memos about zero day exploits?

Good one! everyone knows that Adobe is the last to find out about 0DEs, and that by the time they do proof of concept code is already being printed on milk cartons.

2
0

El Reg needs to add a rooster icon.

Biggest cock up, ever - courtesy those cretins at Adobe

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing