Modern field guide to security and privacy

HostGator stops sending private encryption keys in plain text

The Web hosting service had been e-mailing plain text private keys used for decrypting secure data transmitted online – a practice security experts say puts sensitive information at risk.

|
Reuters

Popular Web hosting company HostGator discontinued part of a legacy service that sent private encryption keys in a plain text e-mail, a practice that security experts say puts sensitive data at risk. 

The service assists users in generating a request for a Secure Socket Layer certificate signature. It can still be used but the plain text e-mail component was disabled within 24 hours after this reporter contacted HostGator about the matter July 9. 

Indicated by the little lock icon in a browser's URL bar, SSL is used to encrypt traffic between individuals and websites to create a secure connection. This prevents any sensitive information someone transmits – such as credit card data – from being intercepted in transit. Each SSL certificate has a corresponding key that handles the encryption, and is known only to the person managing the website. 

Sending keys in plain text means the key could be compromised if it is intercepted in transit. It is also exposed to recipients' e-mail provider and could be compromised if e-mails are hacked, duplicated or forwarded. An attacker with the private key would be able to monitor traffic on the corresponding website. It is unknown how many people received keys this way from HostGator since the service is used primarily by noncustomers, but the service has existed in this capacity since 2010. A HostGator representative said the company does not track the page's traffic.

HostGator said that it's not aware of any attacks or security compromises that resulted from sending plain text keys, but security experts described the practice as anathema to security safeguards that SSL is meant to accomplish. Not only did HostGator send keys in plain text via e-mail, it also appears to have sent them over an unencrypted channel. 

"That is disgraceful," says Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation. "That’s an indication of absolutely essential security measures that HostGator needed to take and didn’t take."

HostGator isn't alone in sending sensitive information this way. EnVers Group, which runs GoGetSSL generator, also sends SSL private keys in plain text to users over e-mail. The company did not reply to a request for an interview.

It's not just SSL keys, passwords are often sent in plain text e-mails. The blog Plain Text Offenders has recorded instances of 3,100 companies sending passwords this way. The practice is "very pervasive," said Omer van Kloeten, who started the blog with fellow developer Igal Tabachnik because they were upset over websites e-mailing passwords in plain text.

HostGator hasn't made their list. Patrick Pelanne, HostGator’s vice president of systems operations and engineering, says the company sent private keys in plain text due to the settings in a vendor's software. "This is sort of why we deprecated this process years ago and have gone to our internal system which locks all that down," he says.

 For customers who host their site with HostGator, the company completes the entire process of acquiring SSL instead of the user having to request and install a certificate, unless the customer insists on a different certificate. This is common with many hosting services, which need access to the private key to install encryption on the hosted site.

 "Getting people an SSL certificate is a good thing, and they should do that," said Johns Hopkins University security researcher Matthew Green. "So that’s a positive. But there has to be a better way than sending it plain text."

The self-service HostGator tool that sent the plain text e-mail exists because of the complex nature of obtaining SSL.

To receive SSL for a website, the owner or manager of the site needs to request a signed certificate from a certificate authority such as Symantec or Comodo, which works with HostGator. The certificate authority's signature verifies that the certificate is valid. When a request is generated, the user receives two keys: one to help identify their request and the other to manage encryption on their website. The latter key should be kept secret so any potential attacker or eavesdropper can't easily monitor site traffic. 

Usability issues arise when generating the request. The best way to create a certificate signature request is through the command line on one's machine with a tool called OpenSSL, says Eckersley of EFF. But that can be complicated for those not familiar with programming. This method generates a private key locally, which means there isn’t a third party involved. Certificate authorities such as Symantec provide instructions for downloading and using the tool. 

Prominent certificate authority DigiCert attempts to make this process easier for anyone creating an SSL certificate request by providing a form that generates a custom command to use on OpenSSL, which the user can then use to generate a key locally.

For less tech-savvy site owners, easy-to-use services such as the HostGator tool are enticing ways to get the process started. Some, such as TrustiCo’s generator, display the private key and the key associated with the request on the webpage, but does not e-mail it.

These come with potential security issues, too. According to Eckersley, having a third party generate a request means they could potentially keep a copy of the private key. A HostGator representative said the company does not store a copy of keys generated through the online form.

Eckersley considers usability a priority. He's part of a team that will launch LetsEncrypt later this year. It will be the first certificate authority to offer free and completely automated SSL. LetsEncrypt will take the certificate signing request and installation process down to around 20 seconds. 

"If our security tools are unusable," Eckersley said, "then we will wind up not using them."

This story was updated to clarify how many people were possibly affected by the issue and to include the date on which this reporter contacted HostGator.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to HostGator stops sending private encryption keys in plain text
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0715/HostGator-stops-sending-private-encryption-keys-in-plain-text
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe