, 2018 6:52 AM
To: Mark Steward
Cc: dev-security-policy@lists.mozilla.org
Subject: Re: SSL private key for *.alipcsec.com embedded in PC client
executables
Thank you for your helpful reply, Mark! Finally I found the key in memory
too.
I sent another report with the private key to Alibaba. Hopefully
On Tue, Dec 11, 2018 at 08:00:59AM +, Jeremy Rowley via dev-security-policy
wrote:
> I think pretty much every ca will accept a signed file in lieu of an
> actual key.
You'd rather hope so. If there are any CAs out there who *wouldn't* accept
a signature from the private key as proof of
Based on the information reported in this thread GlobalSign has started the
necessary activities to investigate this potential misuse.
Arvid
On Tuesday, December 11, 2018 at 8:24:43 AM UTC+1, Mark Steward wrote:
> This time it's just hanging around in memory, no need to do anything
> about the
@lists.mozilla.org
Subject: Re: SSL private key for *.alipcsec.com embedded in PC client
executables
Thank you for your helpful reply, Mark! Finally I found the key in memory
too.
I sent another report with the private key to Alibaba. Hopefully they will
take actions. If Alibaba doesn't reply me
On 2018/12/11 14:39, Matt Palmer via dev-security-policy wrote:
> On Tue, Dec 11, 2018 at 05:37:41AM +, Xiaoyin Liu via dev-security-policy
> wrote:
>> It’s clear that the private key for *.alipcsec.com is embedded in the
>> executable,
> There are ways of implementing SSL such that the
, December 10, 2018 11:39:31 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: SSL private key for *.alipcsec.com embedded in PC client
executables
On Tue, Dec 11, 2018 at 05:37:41AM +, Xiaoyin Liu via dev-security-policy
wrote:
> It’s clear that the private key for *.alipcsec.
This time it's just hanging around in memory, no need to do anything
about the anti-debug.
$ openssl x509 -noout -modulus -in 300288180.crt|md5sum
f423a009387fb7a306673b517ed4f163 -
$ openssl rsa -noout -modulus -in alibaba-localhost.key.pem|md5sum
f423a009387fb7a306673b517ed4f163 -
You can
On Tue, Dec 11, 2018 at 05:37:41AM +, Xiaoyin Liu via dev-security-policy
wrote:
> It’s clear that the private key for *.alipcsec.com is embedded in the
> executable,
There are ways of implementing SSL such that the private key doesn't *have*
to be stored locally. They all require the TLS
8 matches
Mail list logo