back to article NBD: Adobe just dumped its private PGP key on the internet

An absent-minded security staffer just accidentally leaked Adobe's private PGP key onto the internet. The disclosure was spotted by security researcher Juho Nurminen – who found the key on the Photoshop giant's Product Security Incident Response Team blog, ironically. That contact page should have only included the public PGP …

  1. Alistair Dabbs

    Not in the least surprised

    Adobe has er "form" when it comes to appalling lapses in security. At one time, it was able to boast responsibility for the world's biggest customer data bend-over-and-cheek-spread.

  2. Lysenko

    Plus ça change, plus c'est la même chose

    Adobe caught in imbecilic security blunder.

    In other news, Pope suspected of Catholicism...

    1. Version 1.0 Silver badge
      Joke

      Re: Plus ça change, plus c'est la même chose

      To rephrase this Adobe style, "Is the Bear a Catholic? Does the Pope ..."

  3. Dwarf

    Adobe and Security seems to be two words that never go well together.

    1. phuzz Silver badge

      They go pretty well together as long as the word 'lapse' is in there as well.

  4. PNGuinn
    FAIL

    Oh well ....

    Adobe caught with its trousers down ....

    Flashing it's private key around ....

    Young man, if that's all you've got to boast about ....

  5. Gary Bickford

    Also all,previous data

    This key would also allow decryption of all emails, archived data, etc. that was sent out any time in the past.

    1. tom dial Silver badge

      Re: Also all,previous data

      Maybe I am mistaken; I thought the related public key would do the decryption.

      Possession of the private key certainly might allow forgery of messages dated before its revocation.

      1. Mike Cardwell

        Re: Also all,previous data

        Typically you encrypt with a public key so that only the holders of the private key are able to decrypt it.

        You *can* encrypt with a private key, but the only real use case of that is for signing. Signing is basically generating a hash of some content, and then encrypting that hash with the private key so that anyone with your public key can verify that it was you that generate the hash.

      2. rh587

        Re: Also all,previous data

        Maybe I am mistaken; I thought the related public key would do the decryption.

        No, public keys encrypt, private keys decrypt (and sign - for verification of sender id).

        Although Adobe will have issued a new key pair, anyone with an archive of mass-trawled email traffic (cough NSA cough) could now decrypt any archive messages, or spoof messages from Adobe to anyone who has not spotted the change in key pair.

        1. tom dial Silver badge

          Re: Also all,previous data

          I believe I am substantially correct. According to RFC 4880, each recipient's public key is used to encrypt the (symmetric) message encryption key, and each encrypted symmetric key is attached to the encrypted message. A recipient uses her private key to decrypt the a message encryption key, and the latter to decrypt the message body. The sender's private key is used with the hash that represents the message to provide a digital signature, if desired.

          So compromise of a private key would allow signing and message spoofing (until the owner - Adobe, here - revokes it and the revocation is noted by recipients) (Reminder to self: refresh keyring periodically). It also, as another poster noted below, would allow decryption of messages directed to the owner of the (formerly) private key, to Adobe in this case.

          Although I am inclined to think NSA, some 23 miles away by road, may have copies of messages I have sent, as far as their decrypting them I am more concerned about the recipients' private keys than mine.

          1. Anonymous Coward
            Anonymous Coward

            Re: Also all,previous data

            It is very likely that any PGP-encrypted message which Adobe sent was also encrypted with their public key, in order that they can later read the message themselves. So possession of their private key will in most cases allow you also to decrypt messages they sent.

            There's an interesting tangential point here: if you encrypt a message with PGP or GPG and you are worried that bad people (bad people with legislation) might force you to decrypt it, then encrypt it *only* with the recipient's public key. Then you *can't* decrypt it, even if you wanted to, because it's not encrypted with your public key.

        2. h4rm0ny

          Key is five days old @rh587

          So whilst you are right that it would allow retroactive decryption of any emails that are signed with it, that's only for the past week assuming it was even deployed the same day it was created. It could well be that posting the public key is part of their deployment protocol meaning it was only actually in use for a few hours. Maybe.

          Don't get me wrong, it's a howler. But the practical effect is less than you suggest.

        3. Aodhhan

          Re: Also all,previous data

          So, you send out your email encrypting it with the public key? If so... then nobody can read it; unless of course you do what Adobe did, and release the private key.

          BOTH keys can encrypt/decrypt. Which does which when... depends on its use.

          Hey... you don't happen to work at Adobe do you?

      3. phord

        Re: Also all,previous data

        A private key allows decryption of any emails or files being encrypted for Adobe to decode. That means any emails being sent to or from Adobe, typically. Other people use the PUBLIC key to secure the message for the recipient; only the recipient can read it because only the recipient has the PRIVATE key.

      4. tom dial Silver badge

        Re: Also all,previous data

        Mea culpa. Clearly I got things reversed. Mike Cardwell states it most succinctly and correctly.

      5. John Smith 19 Gold badge
        FAIL

        "Maybe I am mistaken; I thought the related public key would do the decryption."

        I see.

        So your not just the regular apologist for bulk governmental surveillance.

        You're actually quite ignorant of how this technology works as well.

        A useful thing to know.

    2. Anonymous Coward
      Anonymous Coward

      Re: Also all,previous data

      i think what probably happened is that they received some sort of NSL and gag order forcing them to disclose the private key for [old] emails sent to/from PSIRT.

      Posting the key there works as a warrant canary signalling that the canary is now dead.

      https://en.wikipedia.org/wiki/National_security_letter

      1. tom dial Silver badge

        Re: Also all,previous data

        From the wikipedia reference: "By law, NSLs can request only non-content information, for example, transactional records and phone numbers dialed, but never the content of telephone calls or e-mails."

        While there is no guarantee that the issuer of an NSL or requester of a warrant follows the law, it is likely that most do. In the case of a warrant, a judge with some degree of independence reviews and approves it before it is executed.

    3. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Pretty funny ...

    ...that you have to warn about the NSA and miscreants in the same breath.

    Or maybe not so funny.

    1. Jonathan Schwatrz
      Happy

      Re: Andy Prough Re: Pretty funny ...

      "....NSA...." Does even the NSA have the staff and/or facilities to intercept and decode all the vuln emails going to Adobe? Given their "security" track record it's probably a sh*tload of emails daily!

  7. Anonymous Coward
    Anonymous Coward

    Irony is thy name

    The fact that this little mischief was perpetrated on the Adobe Product Security Incident Response Team's own blog is simply delicious.

    I mean, who better, right?

  8. Mike Cardwell

    Wrong

    The private key is encrypted. Unless you know the password for it, you can't do any of the things that you're claiming with it.

    1. John Crisp

      Re: Wrong

      Password ?

      :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrong

        "Password ?"

        Do remember this was on Adobe's Security Response Team site. So they used the much more secure "Password1"

        1. Tomato Krill

          Re: Wrong

          No special characters in that, you must mean Password1?

  9. Anonymous Coward
    Anonymous Coward

    Dimwits....

    Not even arranged for cached versions of the page to be removed yet either....

  10. inmypjs Silver badge

    perpetrated...

    by a redeployed Flash developer I presume.

  11. ma1010
    FAIL

    Really nothing new

    Change the name to A-d'oh!-be

    They wrote Flash years ago, didn't they? I rest my case...

    1. Barry Rueger

      Re: Really nothing new

      Nope, Macromedia wrote Flash. Adobe got it when they bought Macromedia.

      Adobe's only real creations are what? Photoshop and Illustrator? PDF?

      1. luminous

        Re: Really nothing new

        Premiere is probably not that widely used but I would say Lightroom is very popular with Photographers. You may find that InDesign is used by many graphic houses for layouts but I wouldn't know about that.

        And even then... if they had only created Photoshop... what a creation. Think how many people in the world have job because of that program.

        1. TRT Silver badge

          Re: Really nothing new

          They are also key players in PostScript, typefaces and Illustrator predates Photoshop. There are large chunks of its catalogue, though, that were obtained by acquisition. In fact PostScript is where they began, really. Ha! Remember that code 0 feature that let you permanently disable a printer with a well crafted PostScript file? Ah, Adobe. You spoil us with your security related humour.

        2. Pompous Git Silver badge

          Re: Really nothing new

          "You may find that InDesign is used by many graphic houses for layouts but I wouldn't know about that."
          Development of InDesign began at Aldus and was acquired by Adobe when they purchased Pagemaker from them. To say the least InDesign is InDispensible as is Postscript. So it goes...

      2. Alistair Dabbs

        Re: Really nothing new

        >> Macromedia wrote Flash

        Futuresplash, I think you'll find.

  12. Mystic Megabyte
    FAIL

    Fail

    No Adode crap in this establishment so smug icon please.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fail

      No Adode crap in this establishment so smug icon please.

      You either have never heard of Omniture, or you never go online.

  13. Bronek Kozicki
    Joke

    Perhaps they did it on purpose?

    Obligatory xkcd reference.

    1. Anonymous Coward
      Anonymous Coward

      Re: Perhaps they did it on purpose?

      I'm more of a https://xkcd.com/1181/ kind of guy!

  14. arctic_haze
    Joke

    On purpose?

    Maybe they believed the world will end today so why bother?

    By the way, the Reg had coverage of the previous end of the worlds like the one in 2012 while this year it absolutely missed the topic. The standards of journalism are slipping all the time.

    1. Anonymous Coward
      Anonymous Coward

      Re: On purpose?

      Better to wait until the excuses are posted as to why it didn't happen this time. A disjunct with reality never seems to even dent these beliefs. The more strongly your identity is vested in a particular belief - the more dangerous to your being to have to accept it is wrong.

      1. Jason Bloomberg Silver badge
        Alien

        Re: On purpose?

        Better to wait until the excuses are posted as to why it didn't happen this time.

        From what I've read, when they said the world would end, they now claim they meant the world as we knew it would end, and the world from now on will be very different.

        Not sure how that fits with claiming a fucking huge (*) previously invisible planet was going to come crashing into us. Badly I would suggest.

        (*) Apologies for not remembering what the Official El Reg Unit is. I keep thinking Mega-Jubs. But then I often do :)

  15. Christoph

    Wasn't it Adobe who had someone arrested for telling them about a vulnerability?

  16. phord

    The key claims to have been created on 2017-09-18. So probably not much was ever done with it.

  17. Anonymous Coward
    Anonymous Coward

    Time for a change.

    It is high time the "Fail" emoticon was replaced by Nelson Muntz pointing his finger.

    Ha HA !!!

  18. PyLETS

    User friendly encryption ?

    If the user of a product is aware that they have to do something in order to encrypt or decrypt then their security process isn't user friendly, because a secure process is secure by default. Crypto keys for typical users should be created and stored automatically, e.g. when they register a domain or account, and ideally stored where they're very unlikely to be meddled with by their user, and can't be meddled with by anyone else. Those able to access private keys in the first place need to know what they're doing with them, or these aren't secure.

    1. Charles 9

      Re: User friendly encryption ?

      Do it that way and (1) identities get screwed up when users (a) change providers, (b) move, or (c) switch computers; and (2) do you really want to trust the provider?

      1. Doctor Syntax Silver badge

        Re: User friendly encryption ?

        (3)and if the key leaks you're dependent on the provider for a new one.

  19. Stevie

    Bah!

    Internal memos about zero day exploits?

    Good one! everyone knows that Adobe is the last to find out about 0DEs, and that by the time they do proof of concept code is already being printed on milk cartons.

  20. Packet

    El Reg needs to add a rooster icon.

    Biggest cock up, ever - courtesy those cretins at Adobe

  21. DerekCurrie
    Facepalm

    There's Hacking. Then there's stupid.

    Who needs hackers when there are people with the keys to the kingdom that simply hand them over.

    Should we give up on computer security? Is this too beyond the ability of average human beings to comprehend? Should we call ourselves apes and go back to the jungle?

    No. I believe this is all about our continuing to live in The Dark Age of Computing. Let's hurry up the computer renaissance already! It's nowhere in sight.

  22. Doctor Syntax Silver badge

    "Adobe has not returned a request for comment on the matter"

    Possible reason.

    Call from Adobe PR to tech suppert: "We've all been viewing this cat video someone emailed us and now our computers aren't working."

  23. Mike Shepherd
    Meh

    Who copied whom?

    The article is very similar to this one. Neither acknowledges the other (or any common source). I thought the whole point of a link was that you didn't need to duplicate.

  24. #define INFINITY -1

    I'm tempted to hit that down-arrow... but:

    diff -u el-reg-articles white-hat-crap

    - has not returned a request for comment on the matter,

    + has not answered a request for commentary on the matter,

    ...

    - moment. Namely, key rotation and internal public-private

    + moment. Namely, key turn and internal public-private

    \

    Make sense?

  25. Velv
    Devil

    "Adobe has not returned a request for comment on the matter"

    Couldn't you just use the leaked private key to make up your own signed response???

  26. EnviableOne
    FAIL

    And they continue ....

    Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key

    Someone should talk to their PR department about the difference between generating and publishing

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like