Based on the information reported in this thread GlobalSign has started the necessary activities to investigate this potential misuse.
Arvid On Tuesday, December 11, 2018 at 8:24:43 AM UTC+1, Mark Steward wrote: > This time it's just hanging around in memory, no need to do anything > about the anti-debug. > > $ openssl x509 -noout -modulus -in 300288180.crt|md5sum > f423a009387fb7a306673b517ed4f163 - > $ openssl rsa -noout -modulus -in alibaba-localhost.key.pem|md5sum > f423a009387fb7a306673b517ed4f163 - > > You can verify that I've signed lorem ipsum with the following: > > $ wget https://crt.sh/?d=300288180 -O 300288180.crt > $ wget https://rack.ms/b/UsNQv74sfH40/msg.txt{,.sig-sha256.b64} > $ openssl dgst -sha256 -verify <(openssl x509 -in 300288180.crt > -pubkey -noout) -signature <(base64 -d msg.txt.sig-sha256.b64) msg.txt > > As the domain name suggests, this is part of the > AlibabaProtect/"Alibaba PC Safe Service" that comes bundled with the > Youku client. > > > Mark > > > Mark > On Tue, Dec 11, 2018 at 5:37 AM Xiaoyin Liu via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > > Hello, > > > > I think I found a SSL certificate misuse issue, but I am not sure if this > > is indeed a misuse, so I want to ask about it on this list. > > > > Here is the issue: After I installed Youku Windows client > > (https://pd.youku.com/pc, installer: > > https://pcclient.download.youku.com/youkuclient/youkuclient_setup_7.6.7.11220.exe), > > it starts a local HTTPS server, listening on localhost:6691. Output of > > “openssl s_client -connect 127.0.0.1:6691” indicates that this local server > > uses a valid SSL certificate, issued to "Alibaba (China) Technology Co., > > Ltd.” CN=*.alipcsec.com, and issued by GlobalSign. It’s a publicly trusted > > OV cert, and is valid until Jan 13, 2019. Later, I found that > > local.alipcsec.com resolves to 127.0.0.1, and > > https://local.alipcsec.com:6691/ is used for inter-process communication. > > > > It’s clear that the private key for *.alipcsec.com is embedded in the > > executable, but all the executables that may embed the private key are > > packed by VMProtect, and the process has anti-debugging protection. I tried > > plenty of methods to extract the private key, but didn’t succeed. I > > reported this to Alibaba SRC anyway. They replied that they ignore this > > issue unless I can successfully extract the key. > > > > So is this a certificate misuse issue, even if the private key is > > obfuscated? If so, do I have to extract the private key first before the CA > > can revoke the cert? > > > > Thank you! > > > > Best, > > Xiaoyin Liu > > > > Here is the certificate: > > -----BEGIN CERTIFICATE----- > > MIIHTjCCBjagAwIBAgIMCpI/GtuuSFspBu4EMA0GCSqGSIb3DQEBCwUAMGYxCzAJ > > BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH > > bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g > > RzIwHhcNMTgwMTEyMDgxMTA1WhcNMTkwMTEzMDgxMTA1WjB7MQswCQYDVQQGEwJD > > TjERMA8GA1UECBMIWmhlSmlhbmcxETAPBgNVBAcTCEhhbmdaaG91MS0wKwYDVQQK > > EyRBbGliYWJhIChDaGluYSkgVGVjaG5vbG9neSBDby4sIEx0ZC4xFzAVBgNVBAMM > > DiouYWxpcGNzZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA > > 9PJcPzpUNRJeA8+YF8cRZEn75q+fSsWWkm6JfIlOKorYXwYJB80de4+Bia3AgzfO > > wqwWfPGrRYh5OY4ujjsKF5XkWG22SLlzi5xB9zAeVKHYTo2U6aKrKnht9XyYvnZX > > ocIuaSxkqq4rQ9UwiEYB6lvy8RY1orYu33HtrGD5W3w9SWf2AwB0rCNp0BeSRaGB > > JEEXzgVECbL+deJZgZflae1gQ9q4PftDHuGXLNe8PLYq2D4+oKbYvbYtI9WKIMuh > > 1dL70QBbcW0y4jFr2/337H8/KhBaCb3ZBZQI4LUnYL8RVeAVJFpX/PuiHMh9uNTm > > oW1if7XQswJCWx3td5tWiwIDAQABo4ID5TCCA+EwDgYDVR0PAQH/BAQDAgWgMIGg > > BggrBgEFBQcBAQSBkzCBkDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9i > > YWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQw > > PwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2Fu > > aXphdGlvbnZhbHNoYTJnMjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsG > > AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAI > > BgZngQwBAgIwCQYDVR0TBAIwADBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3Js > > Lmdsb2JhbHNpZ24uY29tL2dzL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDAn > > BgNVHREEIDAegg4qLmFsaXBjc2VjLmNvbYIMYWxpcGNzZWMuY29tMB0GA1UdJQQW > > MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUoIFBQJomlUEiLibD+luC > > PKGhbykwHwYDVR0jBBgwFoAUlt5h8b0cFilTHMDMfTuDAEDmGnwwggH0BgorBgEE > > AdZ5AgQCBIIB5ASCAeAB3gB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM22 > > 7L7MAAABYOlsKGEAAAQDAEcwRQIhANem+QHeaxpf7wmjtQe6rdbf5o/JKiM6aVgy > > 0gnJk/UTAiBNZ0newmCtHi/f1uzmmzWNeVIl4apUko2yChwTUJObMAB1AKS5CZC0 > > GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYOlsJ/wAAAQDAEYwRAIgUAxl > > oaOwXSSPUdDmix7rwcaD2/QAiQcj0Iij14ZB5dMCIG0hAMD7iukwI28DIgy+StxR > > 2B1LB1PLyMGa1ByTxyx6AHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ > > 0N0AAAFg6WwodQAABAMARjBEAiB5dRrIvSx5euaya6RItzL6bbRt4QtLj3XbrU5d > > hpLOqgIgTTN315YeiNg+dYmtCCCU1OG56IhScJsP0Kac+JmrI98AdgDuS723dc5g > > uuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWDpbCrrAAAEAwBHMEUCIAvmesN/ > > F1V57QuX69pubfx7pW2tCJRHREznZOZbEniVAiEA37SmlQQYZhAUFJ02dE5SfNlE > > uDVMtvvBM4qrhWm+SvkwDQYJKoZIhvcNAQELBQADggEBAIEPnMZ0HBnwXJNoEDEz > > K0afVI5xtNgONjV5QViIgGWaqG+sKjLHjxU040gXPi7ycSKlgbEOF4WE5jvLLFBS > > 890txX4kpLJhcsCHyomwCrTe6V83f20zBa50svQau2L0pnOeeFbAsDAM4PsvaABp > > ziT6keCFUGyfrZCsjJWroT4gco74H+Ra8zLf4MTx9yJ65ERZabJZxD4n6V7tWc6U > > Ey2Tyjx9STCJXnNoogre+gh149nQJR4waUwxEicQDMpGOmEpFMoBAULPrPXksaGI > > T5xbQd74wqC01awRP20+QxHIcQHrEDQUM9GfqJgo8Z4cjNss4PNxTu3jupgS16mA > > K0o= > > -----END CERTIFICATE----- > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy