I've been wondering, has a TLS server (or client, for that matter) key
ever actually been compromised? I don't think I've ever heard of one.
I'm thinking of two possible avenues for compromise, and ignoring
insider attacks. One is through defects in the protocol itself or its
implementation. The other would be through a compromise of the server
host (e.g. a buffer overflow in Apache) that allows the attacker to copy
the TLS server's private key from the file system.
It seems to me that in-the-wild attacks on the protocol or its
implementation are unheard of.
OTOH, we hear about server break-ins all the time. However, one never
hears about these break-ins leading to a compromise of the server's key.
Perhaps the server's private key isn't a really useful target? Although
posession of the key makes it easy to spoof a secure server, actually
doing that spoofing requires a secondary attack, like phishing or an
active attack on the Internet, to redirect a user to the false server.
So have there ever been any actual TLS private key compromises (through
any non-insider attack)?
If TLS private keys aren't attractive enough a target for them to be
compromised even when the opportunity presents itself (as I'm assuming
it has), then to what extent do these keys really need to be protected?
M.
smime.p7s
Description: S/MIME Cryptographic Signature