Difference between revisions of "Key Management"
From MgmtWiki
(Created page with "==Full Title or Meme== ==Problems== * The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itsel...") |
(→Reverences) |
||
| Line 3: | Line 3: | ||
==Problems== | ==Problems== | ||
* The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed. | * The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed. | ||
| + | |||
| + | ==Problems== | ||
| + | * Most [[Key Management]] schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for [[Cryptocurrency]] wallets. As should be expected, they were hacked.<ref>Brian Krebs, ''Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach'' (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ </ref> | ||
==Reverences== | ==Reverences== | ||
[[Category: Security]] | [[Category: Security]] | ||
Revision as of 21:54, 5 September 2023
Full Title or Meme
Problems
- The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed.
Problems
- Most Key Management schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for Cryptocurrency wallets. As should be expected, they were hacked.[1]
Reverences
- ↑ Brian Krebs, Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
