House of Keys

Here’s yet another research confirming how much of a myth online security really is – “House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide“:

We have correlated our data with data from Internet-wide scans (Scans.io and Censys.io) and found that our data set (580 unique keys) contains:

  • the private keys for more than 9% of all HTTPS hosts on the web (~150 server certificates, used by 3.2 million hosts)
  • the private keys for more than 6% of all SSH hosts on the web (~80 SSH host keys used by 0.9 million hosts)

So in total at least 230 out of 580 keys are actively used. Other research has pointed out the extent of this problem (Heninger, Nadia, et al. “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices“, Durumeric, Zakir, et al. “Analysis of the HTTPS certificate ecosystem“). However using our approach, an attribution at a vendor/product level is now possible. Plus the private keys have now been obtained.

One thought on “House of Keys”

Leave a Comment