I'm thinking of two possible avenues for compromise, and ignoring insider attacks. One is through defects in the protocol itself or its implementation. The other would be through a compromise of the server host (e.g. a buffer overflow in Apache) that allows the attacker to copy the TLS server's private key from the file system.
It seems to me that in-the-wild attacks on the protocol or its implementation are unheard of.
OTOH, we hear about server break-ins all the time. However, one never hears about these break-ins leading to a compromise of the server's key.
Perhaps the server's private key isn't a really useful target? Although posession of the key makes it easy to spoof a secure server, actually doing that spoofing requires a secondary attack, like phishing or an active attack on the Internet, to redirect a user to the false server.
So have there ever been any actual TLS private key compromises (through any non-insider attack)?
If TLS private keys aren't attractive enough a target for them to be compromised even when the opportunity presents itself (as I'm assuming it has), then to what extent do these keys really need to be protected?
M.
smime.p7s
Description: S/MIME Cryptographic Signature
