Skip to main content

4.5 million web servers found to be using publicly known private keys

(Image credit: Image Credit: Sergey Nivens / Shutterstock)

In 2015, a survey was conducted by SEC Consult that revealed that 3.2 million web servers were using private keys that were in fact not private and were actually publicly known.  In the time since, the number of servers using non-authentic private keys has jumped to 4.5 million.

Public-key cryptography, also referred to as asymmetric encryption, was invented in the UK and US at the same time during the 1970s. This form of encryption relies on two keys to protect data: a public key is used to lock the data and it is accompanied by a private key that is used to unlock it.

Public and private keys are generated in pairs in only a few seconds using a modern computer. It is impossible to decipher the original data with only the public key and the private key is required to do so. The public key cannot be used to figure out the private key and keys can only be generated together in pairs.

With proper security, it is possible to make your public key public if your private key remains private. However, if a nefarious party acquires your private key they could impersonate you in a number of ways such as setting up a fake web server that pretends to be your actual site, digitally signing software to make it appear as an official release or by logging into third-party servers and 'proving' that they really are you through using your private key.

There are however a number of ways you can protect your private keys from becoming public. The first and most important of which is that your private keys should never be shared or reused. Additionally, remote administration should not be enabled by default on your devices. You should also never let a user activate a new device until they have reset all of the default passwords and keys that shipped with their device.

SEC Consult's report was released nine months ago and in that time the number of servers using private keys that are not private has risen by a million.

Hopefully this time around more users will heed the warnings in the report and begin using best security practices when it comes to the creation and use of private keys. 

Image Credit: Sergey Nivens / Shutterstock

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.