HostGator stops sending private encryption keys in plain text
The Web hosting service had been e-mailing plain text private keys used for decrypting secure data transmitted online – a practice security experts say puts sensitive information at risk.
Reuters
Popular Web hosting company HostGator discontinued part of a legacy serviceÌýthat sentÌýprivate encryption keys in a plain text e-mail, a practice that security experts say puts sensitive data at risk.Ìý
The serviceÌýassists users in generating a request for a Secure Socket Layer certificate signature. It can still be used but the plain text e-mail componentÌýwas disabled within 24 hours after this reporter contacted HostGator about the matter July 9.Ìý
Indicated by theÌýlittle lock icon in a browser's URL bar,ÌýSSLÌýis used to encrypt traffic between individuals and websites to create a secure connection.ÌýThis prevents any sensitive information someone transmits – such as credit card data – from being intercepted in transit. Each SSL certificate has a corresponding key that handles the encryption, and is known only to the person managing the website.Ìý
Sending keys in plain text means the key could be compromised if it is intercepted in transit. It is also exposed to recipients' e-mail provider and could be compromised if e-mails are hacked, duplicated or forwarded. An attacker with the private key would be able to monitor traffic on the corresponding website. It isÌýunknown how many people received keys this way from HostGator since the service is used primarily by noncustomers, but the service has existed in this capacity since 2010. A HostGator representative said the company does not track the page's traffic.
HostGator said that it's not aware of any attacks or security compromises that resulted from sending plain text keys, but security experts describedÌýthe practice as anathema to security safeguards that SSL is meant to accomplish. Not only did HostGator send keys in plain text via e-mail, it also appears to have sent them over an unencrypted channel.Ìý
"That is disgraceful," says Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation. "That’s an indication of absolutely essential security measures that HostGator needed to take and didn’t take."
HostGator isn't alone in sending sensitive information this way. EnVers Group, which runsÌý,Ìýalso sends SSL private keys in plain text to users over e-mail. The company did not reply to a request for an interview.
It's not just SSL keys, passwords are often sent in plain text e-mails. The blogÌýÌýhas recorded instances of 3,100 companies sending passwords this way. The practice isÌý"very pervasive," saidÌýOmer van Kloeten, who started the blog with fellow developer Igal Tabachnik because they were upset over websites e-mailing passwords in plain text.
HostGator hasn't made their list.ÌýPatrick Pelanne, HostGator’s vice president of systems operations and engineering, says the company sent private keys in plain text due to the settings in a vendor's software. "This is sort of why we deprecated this process years ago and have gone to our internal system which locks all that down," he says.
ÌýFor customers who host their site with HostGator, the company completes theÌýentire process of acquiring SSL instead of the user having to request and install a certificate, unless the customer insists on a different certificate. This is common with many hosting services, which need access to the private key to install encryption on the hosted site.
Ìý"Getting people an SSL certificate is a good thing, and they should do that," said Johns Hopkins UniversityÌýsecurity researcher Matthew Green. "So that’s a positive. But there has to be a better way than sending it plain text."
The self-service HostGator tool that sent the plain text e-mail exists because of the complex nature of obtaining SSL.
To receive SSL for a website, the owner or manager of the site needs to request a signed certificate from a certificate authority such as Symantec or Comodo, which works with HostGator. The certificate authority's signature verifies that the certificate is valid. When a request is generated, the user receives two keys: one to help identify their request and the other to manage encryption on their website. The latter key should be kept secret so any potential attacker or eavesdropperÌýcan't easily monitor site traffic.Ìý
Usability issues arise when generating the request.ÌýThe best way to create a certificate signature request is through the command line on one's machine with a tool called OpenSSL,Ìýsays Eckersley of EFF. But thatÌýcan be complicated for those not familiar with programming. This method generates a private key locally, which means there isn’t a third party involved. Certificate authorities such as SymantecÌýÌýfor downloading and using the tool.Ìý
Prominent certificate authority DigiCertÌýattempts to make this process easier for anyone creating an SSL certificate request by providing a form thatÌýÌýto use on OpenSSL, which the user can then use to generate a key locally.
For less tech-savvy site owners, easy-to-use services such as the HostGator tool are enticing ways to get the process started. Some, such asÌý,Ìýdisplay the private key and the key associated with the request on the webpage, but does not e-mail it.
These come with potential security issues, too. According to Eckersley, having a third party generate a request means they could potentially keep a copy of the private key. A HostGator representative said the company does not store a copy of keys generated through the online form.
Eckersley considers usability a priority. He's part of a team that will launch LetsEncrypt later this year. It will be the first certificate authority to offer free and completely automated SSL. LetsEncrypt will take the certificate signing request and installation process down to around 20 seconds.Ìý
"If our security tools are unusable," Eckersley said, "then we will wind up not using them."
This story was updated to clarify how many people were possibly affected by the issue and to include the date on which this reporter contacted HostGator.