has a TLS server (or client, for that matter) key ever actually been
compromised?
Hi, Marc!
I don't know about in-the-wild attacks.
However, proof-of-concept attacks:
Server-side: Brumley and Boneh did timing attacks on Apache SSL
servers---see their Usenix Security paper from 2003.
I've been wondering, has a TLS server (or client, for that matter) key
ever actually been compromised? I don't think I've ever heard of one.
I'm thinking of two possible avenues for compromise, and ignoring
insider attacks. One is through defects in the protocol itself or its
implementation.