HostGator stops sending private encryption keys in plain text
The Web hosting service had been e-mailing plain text private keys used for decrypting secure data transmitted online – a practice security experts say puts sensitive information at risk.
Popular Web hosting company HostGator discontinued part of a legacy service that sent private encryption keys in a plain text e-mail, a practice that security experts say puts sensitive data at risk.
The service assists users in generating a request for a Secure Socket Layer certificate signature. It can still be used but the plain text e-mail component was disabled within 24 hours after this reporter contacted HostGator about the matter July 9.
Indicated by the little lock icon in a browser's URL bar, SSL is used to encrypt traffic between individuals and websites to create a secure connection. This prevents any sensitive information someone transmits – such as credit card data – from being intercepted in transit. Each SSL certificate has a corresponding key that handles the encryption, and is known only to the person managing the website.
Sending keys in plain text means the key could be compromised if it is intercepted in transit. It is also exposed to recipients' e-mail provider and could be compromised if e-mails are hacked, duplicated or forwarded. An attacker with the private key would be able to monitor traffic on the corresponding website. It is unknown how many people received keys this way from HostGator since the service is used primarily by noncustomers, but the service has existed in this capacity since 2010. A HostGator representative said the company does not track the page's traffic.
HostGator said that it's not aware of any attacks or security compromises that resulted from sending plain text keys, but security experts described the practice as anathema to security safeguards that SSL is meant to accomplish. Not only did HostGator send keys in plain text via e-mail, it also appears to have sent them over an unencrypted channel.
"That is disgraceful," says Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation. "That’s an indication of absolutely essential security measures that HostGator needed to take and didn’t take."
HostGator isn't alone in sending sensitive information this way. EnVers Group, which runs GoGetSSL generator, also sends SSL private keys in plain text to users over e-mail. The company did not reply to a request for an interview.
It's not just SSL keys, passwords are often sent in plain text e-mails. The blog Plain Text Offenders has recorded instances of 3,100 companies sending passwords this way. The practice is "very pervasive," said Omer van Kloeten, who started the blog with fellow developer Igal Tabachnik because they were upset over websites e-mailing passwords in plain text.
HostGator hasn't made their list. Patrick Pelanne, HostGator’s vice president of systems operations and engineering, says the company sent private keys in plain text due to the settings in a vendor's software. "This is sort of why we deprecated this process years ago and have gone to our internal system which locks all that down," he says.
For customers who host their site with HostGator, the company completes the entire process of acquiring SSL instead of the user having to request and install a certificate, unless the customer insists on a different certificate. This is common with many hosting services, which need access to the private key to install encryption on the hosted site.
"Getting people an SSL certificate is a good thing, and they should do that," said Johns Hopkins University security researcher Matthew Green. "So that’s a positive. But there has to be a better way than sending it plain text."
The self-service HostGator tool that sent the plain text e-mail exists because of the complex nature of obtaining SSL.
To receive SSL for a website, the owner or manager of the site needs to request a signed certificate from a certificate authority such as Symantec or Comodo, which works with HostGator. The certificate authority's signature verifies that the certificate is valid. When a request is generated, the user receives two keys: one to help identify their request and the other to manage encryption on their website. The latter key should be kept secret so any potential attacker or eavesdropper can't easily monitor site traffic.
Usability issues arise when generating the request. The best way to create a certificate signature request is through the command line on one's machine with a tool called OpenSSL, says Eckersley of EFF. But that can be complicated for those not familiar with programming. This method generates a private key locally, which means there isn’t a third party involved. Certificate authorities such as Symantec provide instructions for downloading and using the tool.
Prominent certificate authority DigiCert attempts to make this process easier for anyone creating an SSL certificate request by providing a form that generates a custom command to use on OpenSSL, which the user can then use to generate a key locally.
For less tech-savvy site owners, easy-to-use services such as the HostGator tool are enticing ways to get the process started. Some, such as TrustiCo’s generator, display the private key and the key associated with the request on the webpage, but does not e-mail it.
These come with potential security issues, too. According to Eckersley, having a third party generate a request means they could potentially keep a copy of the private key. A HostGator representative said the company does not store a copy of keys generated through the online form.
Eckersley considers usability a priority. He's part of a team that will launch LetsEncrypt later this year. It will be the first certificate authority to offer free and completely automated SSL. LetsEncrypt will take the certificate signing request and installation process down to around 20 seconds.
"If our security tools are unusable," Eckersley said, "then we will wind up not using them."
This story was updated to clarify how many people were possibly affected by the issue and to include the date on which this reporter contacted HostGator.