On Monday, December 25, 2017 at 10:24:30 AM UTC-6, Hanno Böck wrote: > On Mon, 25 Dec 2017 14:43:21 +0000 > Jeremy Rowley via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > Without the private key, im not sure how we're supposed to confirm > > key compromise. > > I've pinged a few people with the right skillset to try to extract the > key. But if there are people here who feel capable feel free. (I already > tried the "simple" means, e.g. grepping through files.)
As Mr. Bowen pointed out, there are several mechanisms which would allow for the key not to be on the localhost, although it almost certainly is. Someone will have to bring out the debugger, watch for the appropriate calls, etc. If they're using system libraries, it'll be really easy. If they built in their own TLS stack natively and obfuscated it carefully, it'll be possible but harder to decipher. Ultimately, it's eminently solvable, but will take someone time. If this type of key compromise is actually worth getting the revocation for, then it's worth preventing the issue in the first place... The only way that will ever happen is to fix the browser to kill the capability to hit a local IP endpoint if the main resource is non-local. Once that change is made, the software developers will have far less incentive to do things like this. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
