Researcher has Symantec certificate revoked with fake private key

Security researcher Hanno Böck has persuaded Symantec to revoke a certificate for a self-provisioned test domain. He used a fake private key to do this. He couldn’t get Comodo to withdraw.

Böck writes in a blog post that certificate authorities are obliged to revoke a certificate if its private key has been leaked. To test this process, he set up two test domains and requested digital certificates from Symantec and Comodo, because they are large parties that also offer free test certificates. He then created a fake private key for both domains, put it on Pastebin and sent it to both companies, where only Symantec revoked the certificate. He combined the submitted keys with actual leaked private keys he found online.

The researcher has put the tool with which he created the fake key online. He writes that he has chosen to use the same public part of the key in both the certificate and the private key, which would not be noticeable in a ‘naive check’. A thorough check would go beyond just comparing these parts. If this doesn’t happen, it’s problematic; after all, an attacker could create a private key with a public key of the certificate and the private part of any other key. In principle, this would allow him to have the certificate revoked from any site, causing it to experience downtime, Böck said.

Symantec has responded to the move with its own statement. It says it will review its key revocation processes. The company says it did not examine certain parts of it when checking a key, which was also apparent from the way Böck had generated his fake key. Symantec already received criticism from Google in March about the way it issues certificates. Google announced that it would reduce trust in old Symantec certificates. The search giant launched an investigation after Symantec falsely issued certificates.