Recently a bank in Brazil got leaked the private key for its main domain (and internet banking frontend). The leaker tried to ransom the bank but wasn’t happy, so he went to the press with a detailed report of what he got, and included a message signed with the bank’s key as a proof. The bank denied everything.
But the more interesting thing was that, when confronted about the key, they said it was indeed legit, but their site was already using a new certificate for a while, so everything is ok. And part of the press bought it, including sites targeted to technical audiences. That’s how much a lot of people in real world don’t know exactly how PKI works.
It took a few weeks until the leaked cert was finally revoked. And now I wonder if it was really the bank who did it.
Recently a bank in Brazil got leaked the private key for its main domain (and internet banking frontend). The leaker tried to ransom the bank but wasn’t happy, so he went to the press with a detailed report of what he got, and included a message signed with the bank’s key as a proof. The bank denied everything.
But the more interesting thing was that, when confronted about the key, they said it was indeed legit, but their site was already using a new certificate for a while, so everything is ok. And part of the press bought it, including sites targeted to technical audiences. That’s how much a lot of people in real world don’t know exactly how PKI works.
It took a few weeks until the leaked cert was finally revoked. And now I wonder if it was really the bank who did it.