Oh this is interesting. Often bug bounty’s claim a published private key wasn’t in use or sensitive. This gives researchers the ability to call BS on that.
One thing that you'll see happen is, something is supplied with an example or test key and at some point somebody who doesn't understand what's going on need a "Private key". Huh. Where can I get a "Private key"? Oh, here's one, I'll use that. Sometimes it's in the context where it was found, but sometimes far away from that.<p>For example, back in March 2020, somebody on m.d.s.policy wondered why seemingly unrelated Web PKI certs had the same private key. So I stared at the certs and I came to the following conclusion:<p>This company Paessler makes a Windows tool called PRTG with a web interface. It is supplied with a demo certificate. So you set up the tool on a Windows server and it basically works, but the certificate isn't trustworthy.<p>Some people will click "Ignore" and press on. This is horribly insecure but what's new?<p>However, some people will decide they need to get a Certificate. Getting a certificate requires a Private Key. Fortunately, PRTG is supplied with a Private Key so no need to go learn how to make one yourself.<p>So, the people who made PRTG didn't screw up here in the sense that <i>they</i> really did make a test or demo key, and from their point of view <i>obviously</i> it isn't sensitive since everybody has the same key.<p>Unfortunately their users may not realise and come to depend on this key as "their" private key, and so in this sense it is sensitive, just not for the people who made it.<p>--<p>Regardless of who minted the key you have, and whether they understood its importance, in the Web PKI the correct thing to do is always the same and should be pretty easy:<p>Revoke the certificates for these public keys. Email contacts or Instructions are here: <a href="https://ccadb-public.secure.force.com/ccadb/AllProblemReportingMechanismsReport" rel="nofollow">https://ccadb-public.secure.force.com/ccadb/AllProblemReport...</a><p>For Let's Encrypt you can actually do this mechanically, their API will accept proof you know the private key as grounds to revoke the certificate even though that's not listed above.<p>If the CA refuses to revoke a certificate you've <i>genuinely</i> proved you have the key for (follow any instructions carefully) or just goes silent with no action for a prolonged period, report this problem to m.d.s.policy yourself. You should not need to send the private key itself to anybody as "proof" you have it, the whole <i>point</i> of private keys is that you can prove you know this key without revealing it.
Congrats to Dylan and team on this release; incredibly cool - more companies, especially those for whom software is a functional organization but not the primary one -- need to take key leaks seriously.
This was flagged and marked dead at <a href="https://news.ycombinator.com/item?id=29152572" rel="nofollow">https://news.ycombinator.com/item?id=29152572</a><p>Which is a shame, thanks for resubmitting