{"id":5402,"date":"2017-11-21T13:59:24","date_gmt":"2017-11-21T18:59:24","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=5402"},"modified":"2023-04-07T14:27:35","modified_gmt":"2023-04-07T18:27:35","slug":"dont-publish-private-key-github","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/dont-publish-private-key-github\/","title":{"rendered":"Helpful Tip: Don\u2019t Publish Your Private Key on GitHub"},"content":{"rendered":"<h2>DJI\u2019s bug bounty program stumbles after researcher finds its SSL private key on GitHub<\/h2>\n<p>Security Researcher Fevin Finisterre stumbled across a serious flaw in DJI\u2019s web security: the company had accidentally published its private key on GitHub. And while the rest of the story about Finisterre and DJI is interesting, and we will get to it in a moment, this is the point in time where, as an SSL blog, we need to state the obvious:<\/p>\n<p><strong>Don\u2019t publish your SSL certificate\u2019s private key on GitHub.<\/strong><\/p>\n<p>In fact, this is a good opportunity to talk about good security hygiene when it comes to key storage. It\u2019s called a Private Key for a reason, it needs to be guarded and kept private. We say it all the time, but if your private key is compromised your entire SSL certificate is compromised. Hackers and Cybercriminals can literally wreak havoc with your private key.<\/p>\n<p>So be careful where you store it.<\/p>\n<span style=\"--tl-form-height-m:150.25px;--tl-form-height-t:121.4583px;--tl-form-height-d:121.4583px;\" class=\"tl-placeholder-f-type-shortcode_12753 tl-preload-form\"><span><\/span><\/span>\n<p><a href=\"https:\/\/www.thesslstore.com\/comodo\/ev-code-signing.aspx\" target=\"_blank\" rel=\"noopener\">Extended Validation Code Signing certificates<\/a> actually come with their private keys stored on a physical hardware token. But you can store any private key on a physical hardware token\u2014it doesn\u2019t have to just be EV keys.<\/p>\n<p>And frankly, we recommend doing that. Don\u2019t store your private key on your network where someone unauthorized can access it. <strong>Store your private key in a physical hardware token<\/strong> that can be physically accounted for at all times. This adds a beneficial additional layer of security. Now someone actually has to physically obtain the key before they can use it.<\/p>\n<p>We recommend storing your private keys on physical hardware tokens.<\/p>\n<p>Now, let\u2019s move on to DJI and Kevin Finisterre<\/p>\n<h2>Here\u2019s how not to run a bounty program<\/h2>\n<p>Bounty programs are becoming more and more common. If you don\u2019t already know, basically a company partners with white hat hackers (good hackers) to try to find vulnerabilities in their networks and systems before a malicious actor can find them.<\/p>\n<p>DJI, a Chinese technology company, recently kicked off its own bounty program. Finisterre and his team contacted DJI shortly after to inquire about whether the private key they found was within the scope of its bounty program. DJI responded that it was and the two sides began negotiating around the $30,000 bounty.<\/p>\n<p>Where things fell apart is that DJI didn\u2019t want the bounty publicly disclosed. That\u2019s a problem for most white hat hackers because the notoriety that comes with finding these bugs is worth as much, if not more than the cash prize. It\u2019d be like getting to meet your favorite celebrity but being forced to sign a non-disclosure agreement that prevented you from telling anyone.<\/p>\n<p>That\u2019s a non-starter.<\/p>\n<p>After negotiations broke down, <a href=\"https:\/\/regmedia.co.uk\/2017\/11\/16\/whyiwalkedfrom3k.pdf\" rel=\"nofollow\">Finisterre went public anyway<\/a>. His account has been circulating the web ever since.<\/p>\n<p>DJI, for its part, has now launched a website for its bounty program where it clearly lists its terms and conditions. This is a step in the right direction, but it\u2019s also something that probably should have been done before any of this ever happened.<\/p>\n<p>Regardless, just remember: be careful where you store your private<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DJI\u2019s bug bounty program stumbles after researcher finds its SSL private key on GitHub Security Researcher Fevin Finisterre stumbled across a serious flaw in DJI\u2019s web security: the company had&#8230;<\/p>\n","protected":false},"author":6,"featured_media":5403,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[5255],"class_list":["post-5402","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-private-keys","post-with-tags"],"views":11993,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/11\/iStock-532351758.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/5402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=5402"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/5402\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/5403"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=5402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=5402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=5402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}