HostGator stops sending private encryption keys in plain text
Popular Web hosting company HostGator discontinued part of a legacy service听that sent听private encryption keys in a plain text e-mail, a practice that security experts say puts sensitive data at risk.听
The service听assists users in generating a request for a Secure Socket Layer certificate signature. It can still be used but the plain text e-mail component听was disabled within 24 hours after this reporter contacted HostGator about the matter July 9.听
Indicated by the听little lock icon in a browser's URL bar,听SSL听is used to encrypt traffic between individuals and websites to create a secure connection.听This prevents any sensitive information someone transmits 鈥 such as credit card data 鈥 from being intercepted in transit. Each SSL certificate has a corresponding key that handles the encryption, and is known only to the person managing the website.听
Sending keys in plain text means the key could be compromised if it is intercepted in transit. It is also exposed to recipients' e-mail provider and could be compromised if e-mails are hacked, duplicated or forwarded. An attacker with the private key would be able to monitor traffic on the corresponding website. It is听unknown how many people received keys this way from HostGator since the service is used primarily by noncustomers, but the service has existed in this capacity since 2010. A HostGator representative said the company does not track the page's traffic.
HostGator said that it's not aware of any attacks or security compromises that resulted from sending plain text keys, but security experts described听the practice as anathema to security safeguards that SSL is meant to accomplish. Not only did HostGator send keys in plain text via e-mail, it also appears to have sent them over an unencrypted channel.听
"That is disgraceful," says Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation. "That鈥檚 an indication of absolutely essential security measures that HostGator needed to take and didn鈥檛 take."
HostGator isn't alone in sending sensitive information this way. EnVers Group, which runs听,听also sends SSL private keys in plain text to users over e-mail. The company did not reply to a request for an interview.
It's not just SSL keys, passwords are often sent in plain text e-mails. The blog听听has recorded instances of 3,100 companies sending passwords this way. The practice is听"very pervasive," said听Omer van Kloeten, who started the blog with fellow developer Igal Tabachnik because they were upset over websites e-mailing passwords in plain text.
HostGator hasn't made their list.听Patrick Pelanne, HostGator鈥檚 vice president of systems operations and engineering, says the company sent private keys in plain text due to the settings in a vendor's software. "This is sort of why we deprecated this process years ago and have gone to our internal system which locks all that down," he says.
听For customers who host their site with HostGator, the company completes the听entire process of acquiring SSL instead of the user having to request and install a certificate, unless the customer insists on a different certificate. This is common with many hosting services, which need access to the private key to install encryption on the hosted site.
听"Getting people an SSL certificate is a good thing, and they should do that," said Johns Hopkins University听security researcher Matthew Green. "So that鈥檚 a positive. But there has to be a better way than sending it plain text."
The self-service HostGator tool that sent the plain text e-mail exists because of the complex nature of obtaining SSL.
To receive SSL for a website, the owner or manager of the site needs to request a signed certificate from a certificate authority such as Symantec or Comodo, which works with HostGator. The certificate authority's signature verifies that the certificate is valid. When a request is generated, the user receives two keys: one to help identify their request and the other to manage encryption on their website. The latter key should be kept secret so any potential attacker or eavesdropper听can't easily monitor site traffic.听
Usability issues arise when generating the request.听The best way to create a certificate signature request is through the command line on one's machine with a tool called OpenSSL,听says Eckersley of EFF. But that听can be complicated for those not familiar with programming. This method generates a private key locally, which means there isn鈥檛 a third party involved. Certificate authorities such as Symantec听听for downloading and using the tool.听
Prominent certificate authority DigiCert听attempts to make this process easier for anyone creating an SSL certificate request by providing a form that听听to use on OpenSSL, which the user can then use to generate a key locally.
For less tech-savvy site owners, easy-to-use services such as the HostGator tool are enticing ways to get the process started. Some, such as听,听display the private key and the key associated with the request on the webpage, but does not e-mail it.
These come with potential security issues, too. According to Eckersley, having a third party generate a request means they could potentially keep a copy of the private key. A HostGator representative said the company does not store a copy of keys generated through the online form.
Eckersley considers usability a priority. He's part of a team that will launch LetsEncrypt later this year. It will be the first certificate authority to offer free and completely automated SSL. LetsEncrypt will take the certificate signing request and installation process down to around 20 seconds.听
"If our security tools are unusable," Eckersley said, "then we will wind up not using them."
This story was updated to clarify how many people were possibly affected by the issue and to include the date on which this reporter contacted HostGator.
