43 lines
1.5 KiB
Plaintext
43 lines
1.5 KiB
Plaintext
|
|
||
|
|
include::../../../shared_content/secrets/description.adoc[]
|
||
|
|
|
||
|
|
== Why is this an issue?
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
||
|
|
|
||
|
|
If an attacker gains access to an SSLMate secret, they might be able to gain access to the SSL/TLS certificate of organisations.
|
||
|
|
|
||
|
|
=== What is the potential impact?
|
||
|
|
|
||
|
|
SSLMate provides APIs used by organizations to issue and monitor SSL/TLS certificates.
|
||
|
|
These certificates guaranty the authenticity of the organization's servers, and the confidentiality of the data exchanged with them.
|
||
|
|
Depending on the permission granted to the API key, an attacker could potentially create, revoke, or modify SSL/TLS certificates of the organization.
|
||
|
|
|
||
|
|
Creating certificates would allow attackers to impersonate the organization's servers. This leads to Man-In-The-Middle attacks that would
|
||
|
|
affect both the confidentiality and integrity of the communications from clients
|
||
|
|
to that server.
|
||
|
|
|
||
|
|
== How to fix it
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
||
|
|
|
||
|
|
Also, revoke certificates that were issued since the leak. Doing so
|
||
|
|
will ensure that all people and assets that rely on these certificates are aware of its compromise and stop trusting it.
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/fix/recent_use.adoc[]
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
||
|
|
|
||
|
|
|
||
|
|
=== Code examples
|
||
|
|
|
||
|
|
:example_secret: k15341_bc5T6Zbfv5ozwrwb3qyn
|
||
|
|
:example_name: sslmate.api_key
|
||
|
|
:example_env: SSLMATE_API_KEY
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/examples.adoc[]
|
||
|
|
|
||
|
|
== Resources
|
||
|
|
|
||
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|