The Security Risk of Vendor-Supplied Default SSL Certificates

Fri 30 October 2009 Category: Security

Often, software comes supplied with some default SSL certificate, for testing purposes, such as those 'snake oil' certificates (they are called snake oil certificates for a reason). In practice, I often encounter usage of such certificates. People may seem to think that as long SSL is used, authentication and thus credentials are safe, but nothing could be further from the truth.

If you encounter a service that uses a default vendor-supplied SSL certificate, decryption of communication is trivial. Just obtain a copy of this vendor software and grab the private key. This private key can be loaded into Wireshark to decrypt any captured SSL traffic that has been encrypted with this certificate. Please read this link about decrypting SSL with Wireshark.

So it is important to always replace default SSL certificates with a freshly generated, no matter if it is self-signed or not.