There are at least two valid, signed TLS certificates that are bundled with publicly available Netgear device firmware.
These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly.
The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear's support website, without authentication; thus anyone in the world could have retrieved these keys.
| # based on http://uberblo.gs/2011/06/high-performance-url-shortening-with-redis-backed-nginx | |
| # using code from http://stackoverflow.com/questions/3554315/lua-base-converter | |
| # "database scheme" | |
| # database 0: id ~> url | |
| # database 1: id ~> hits | |
| # database 2: id ~> [{referer|user_agent}] | |
| # database 3: id ~> hits (when id is not found) | |
| # database 4: id ~> [{referer|user_agent}] (when id is not found) | |
| # database 5: key "count" storing the number of shortened urls; the id is generated by (this number + 1) converted to base 62 |