Ten ways to fail at public key cryptography, Today:

When encrypting a file for your coworker, encrypt for your own key instead of his/hers

  • 2
    #2: Sign with public key and distribute private key (without any certificate, of course) to all recipients.

    Yes, I've seen that one in production.

    Security often works just accidentally.
  • 0
    Wasn't Adobe the guilty one? Or at least a prominent example
  • 0
    @knicklux I don't know about Adobe on that point. My example was a small german company, but with a product that is known and used nationwide.

    But I got another example just today where companies are juggling with expired certificates and when you tell them, you only get the answer that those certificates are not really needed, just use the keys without certifcate or ignore the validity and continue to use the expired certificate.
    I should reply "Oh come on, you brainless dipshit, if I cannot validate the certificate chain when one certificate is expired, the end user certificate is not valid. And I will not weaken the security because you are to stupid to keep your PKI up to date". But I'm too kind for such an answer.
Add Comment