Enlarge / Um, yes, that was Adobe PSIRT’s private PGP key on their website. Best get their new public key.

Having some transparency about security problems with software is great, but Adobe’s Product Security Incident Response Team (PSIRT) took that transparency a little too far today when a member of the team posted the PGP keys for PSIRT’s e-mail account—both the public and the private keys. The keys have since been taken down, and a new public key has been posted in its stead.

The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen:

Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account.

To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT’s shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team’s blog. Here’s what that extension looks like:

A screenshot of Mailvelope’s settings panel in Chrome with part of my PGP public key visible. I will not be showing you my private key.

But instead of clicking on the “public” button, the person responsible clicked on “all” and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe’s PSIRT blog.

There are many people trying to make PGP communications better, but the fundamental architecture of PGP is such a pain to use that when Ars’ Lee Hutchinson e-mailed PGP creator Phillip Zimmermann in PGP format, Zimmermann refused to read the message that way—because his PGP key was not on his phone:

The newly generated Adobe PSIRT key, by the way, came straight out of GPGtools.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.