Apparently, in at least one case, the certificate was issued directly(!) to localhost by Symantec.
https://news.ycombinator.com/item?id=14598262 subject=/C=US/ST=Florida/L=Melbourne/O=AuthenTec/OU=Terms of use at www.verisign.com/rpa (c)05/CN=localhost issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 reply Is this a known incident? On Tuesday, June 20, 2017 at 4:14:34 PM UTC-4, Ryan Sleevi wrote: > Previous certificates for GitHub and Dropbox have been revoked for this > reason. > > If this problem has been reintroduced, they similarly need to be revoked. > > On Tue, Jun 20, 2017 at 4:57 PM annie nguyen via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Hi! > > > > I'm not sure if this is the correct place to ask (I'm not sure where > > else I would ask). I'm so sorry if this message is unwanted. > > > > Earlier this week, a certificate for a domain resolving to 127.0.0.1 in > > a Cisco application was revoked, because it was deemed to have been > > compromised. > > > > Dropbox, GitHub, Spotify and Discord (among others) have done the same > > thing for years: they embed SSL certificates and private keys into their > > applications so that, for example, open.spotify.com can talk to a local > > instance of Spotify (which must be served over https because > > open.spotify.com is also delivered over https). > > > > This has happened for years, and these applications have certificates > > issued by DigiCert and Comodo all pointing to 127.0.0.1 whose private > > keys are trivially retrievable, since they're embedded in publicly > > distributed binaries. > > > > - GitHub: ghconduit.com > > - Discord: discordapp.io > > - Dropbox: www.dropboxlocalhost.com > > - Spotify: *.spotilocal.com > > > > Here is Spotify's, for example: > > https://gist.github.com/venoms/d2d558b1da2794b9be6f57c5e81334f0 > > > > ---- > > > > What I want to know is: how does this differ to Cisco's situation? Why > > was Cisco's key revoked and considered compromised, but these have been > > known about and deemed acceptable for years - what makes the situation > > different? > > > > It's been an on-going question for me, since the use case (as a software > > developer) is quite real: if you serve a site over HTTPS and it needs to > > communicate with a local client application then you need this (or, you > > need to manage your own CA, and ask every person to install a > > certificate on all their devices) > > > > Thank you so much, > > Annie > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy