Having some transparency about security problems with software is great, but Adobe’s Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT’s e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.
The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:
Oh shit Adobe pic.twitter.com/7rDL3LWVVz
— Juho Nurminen (@jupenur) September 22, 2017
Nurminen was able to confirm that the key was associated with the firstname.lastname@example.org e-mail account.
To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT’s shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team’s blog. Here’s what that extension looks like:
A screenshot of Mailvelope’s settings panel in Chrome with part of my PGP public key visible. I will not be showing you my private key.
But instead of clicking on the “public” button, the person responsible clicked on “all” and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe’s PSIRT blog.
There are many people trying to make PGP communications better, but the fundamental architecture of PGP is such a pain to use that when Ars’ Lee Hutchinson e-mailed PGP creator Phillip Zimmermann in PGP format, Zimmermann refused to read the message that way—because his PGP key was not on his phone:
The newly generated Adobe PSIRT key, by the way, came straight out of GPGtools.