RE: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-12 Thread Doug Beattie via dev-security-policy
, 2018 6:52 AM To: Mark Steward Cc: dev-security-policy@lists.mozilla.org Subject: Re: SSL private key for *.alipcsec.com embedded in PC client executables Thank you for your helpful reply, Mark! Finally I found the key in memory too. I sent another report with the private key to Alibaba. Hopefully

Re: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-11 Thread Matt Palmer via dev-security-policy
On Tue, Dec 11, 2018 at 08:00:59AM +, Jeremy Rowley via dev-security-policy wrote: > I think pretty much every ca will accept a signed file in lieu of an > actual key. You'd rather hope so. If there are any CAs out there who *wouldn't* accept a signature from the private key as proof of

Re: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-11 Thread Arvid Vermote via dev-security-policy
Based on the information reported in this thread GlobalSign has started the necessary activities to investigate this potential misuse. Arvid On Tuesday, December 11, 2018 at 8:24:43 AM UTC+1, Mark Steward wrote: > This time it's just hanging around in memory, no need to do anything > about the

RE: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-11 Thread Doug Beattie via dev-security-policy
@lists.mozilla.org Subject: Re: SSL private key for *.alipcsec.com embedded in PC client executables Thank you for your helpful reply, Mark! Finally I found the key in memory too. I sent another report with the private key to Alibaba. Hopefully they will take actions. If Alibaba doesn't reply me

Re: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-11 Thread Xiaoyin Liu via dev-security-policy
On 2018/12/11 14:39, Matt Palmer via dev-security-policy wrote: > On Tue, Dec 11, 2018 at 05:37:41AM +, Xiaoyin Liu via dev-security-policy > wrote: >> It’s clear that the private key for *.alipcsec.com is embedded in the >> executable, > There are ways of implementing SSL such that the

Re: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-11 Thread Jeremy Rowley via dev-security-policy
, December 10, 2018 11:39:31 PM To: dev-security-policy@lists.mozilla.org Subject: Re: SSL private key for *.alipcsec.com embedded in PC client executables On Tue, Dec 11, 2018 at 05:37:41AM +, Xiaoyin Liu via dev-security-policy wrote: > It’s clear that the private key for *.alipcsec.

Re: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-10 Thread Mark Steward via dev-security-policy
This time it's just hanging around in memory, no need to do anything about the anti-debug. $ openssl x509 -noout -modulus -in 300288180.crt|md5sum f423a009387fb7a306673b517ed4f163 - $ openssl rsa -noout -modulus -in alibaba-localhost.key.pem|md5sum f423a009387fb7a306673b517ed4f163 - You can

Re: SSL private key for *.alipcsec.com embedded in PC client executables

2018-12-10 Thread Matt Palmer via dev-security-policy
On Tue, Dec 11, 2018 at 05:37:41AM +, Xiaoyin Liu via dev-security-policy wrote: > It’s clear that the private key for *.alipcsec.com is embedded in the > executable, There are ways of implementing SSL such that the private key doesn't *have* to be stored locally. They all require the TLS