ADOBE HAS BECOME the laughing stock of the security industry after the firm stupidly posted its private PGP key on its official security blog.
A PGP key, which stands for Pretty Good Privacy, refers to a system which allows users to send encrypted messages over the internet with an additional layer of privacy.
Through OpenPGP, the system is normally used for private email exchanges, encrypting messages using a public key but then decrypted using private keys.
Adobe's product security incident response team (PSIRT) accidentally published the private PGP key on its blog on Friday. And while it was quickly taken down, this didn't prevent some visitors from taking screenshots of the spectacular failure, or downloading an an archived version of the post through Google Cache which showed in detail both the public and private PGP keys posted by the firm.
The big issue here is that once the keys have been released, the whole system is rendered pointless as messages sent to be seen only by Adobe can be decrypted by anyone.
"Someone who has Adobe's private key can not only post messages that apparently have Adobe's imprimatur but also decrypt messages that people sent to Adobe under the assumption that only the PSIRT would ever get to read them," said Sophos security researcher Paul Ducklin, commenting on the tremendously embarrassing error.
"Fortunately, as far as we can see, Adobe's (now-revoked) private key was itself encrypted with a passphrase, meaning that it can't be used without a secret unlock code of its own, but private keys aren't supposed to be revealed even if they are stored in encrypted form."
"If you let your PGP/GPG private key slip, your leak cuts both ways, potentially affecting both you and the other person in the communication, for messages in either direction." µ
But don't expect laptop prices
Vulnerability targets hardware created by Infineon Technologies
Expect something commercial in 2019
Ex-employees say bugs were stolen and used in future attacks