Previous certificates for GitHub and Dropbox have been revoked for this reason.
If this problem has been reintroduced, they similarly need to be revoked. On Tue, Jun 20, 2017 at 4:57 PM annie nguyen via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi! > > I'm not sure if this is the correct place to ask (I'm not sure where > else I would ask). I'm so sorry if this message is unwanted. > > Earlier this week, a certificate for a domain resolving to 127.0.0.1 in > a Cisco application was revoked, because it was deemed to have been > compromised. > > Dropbox, GitHub, Spotify and Discord (among others) have done the same > thing for years: they embed SSL certificates and private keys into their > applications so that, for example, open.spotify.com can talk to a local > instance of Spotify (which must be served over https because > open.spotify.com is also delivered over https). > > This has happened for years, and these applications have certificates > issued by DigiCert and Comodo all pointing to 127.0.0.1 whose private > keys are trivially retrievable, since they're embedded in publicly > distributed binaries. > > - GitHub: ghconduit.com > - Discord: discordapp.io > - Dropbox: www.dropboxlocalhost.com > - Spotify: *.spotilocal.com > > Here is Spotify's, for example: > https://gist.github.com/venoms/d2d558b1da2794b9be6f57c5e81334f0 > > ---- > > What I want to know is: how does this differ to Cisco's situation? Why > was Cisco's key revoked and considered compromised, but these have been > known about and deemed acceptable for years - what makes the situation > different? > > It's been an on-going question for me, since the use case (as a software > developer) is quite real: if you serve a site over HTTPS and it needs to > communicate with a local client application then you need this (or, you > need to manage your own CA, and ask every person to install a > certificate on all their devices) > > Thank you so much, > Annie > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
