Hi, Tavis Ormandy recently tweeted this: https://twitter.com/taviso/status/938503794098180096
What's happening here: The software battle.net by Blizzard has a domain localbattle.net that points to localhost, allowing the software to serve content there. The content is served via HTTPS with a valid cert, making it obvious that the private key is part of the software. I talked to Tavis, reported the issue to the CA and to Mozilla's bugtracker. I learned that there's a practically identical issue with EAs origin.net software. I also heard a claim that "everyone does this", however this seemed to refer to examples from the past that are already known. I briefly checked other gaming software (steam, uplay), but didn't find anything alike. (Which doesn't mean it's not there - but I didn't see open ports after running the software that were served with TLS.) Both certificates have been revoked. I don't have any detailed information about what these local connections were used for, if they changed anything and if anything broke due to the revocations, but I haven't seen any reports of breakage (I checked twitter for signs of it). I also was not able to extract the private keys with simple methods (grep), but it is almost certainly possible. (Full disclosure: Doing anything on a Windows system is not my strength.) In any case: If you are aware of other software doing something alike please report it. This is a key compromise. Bug EA: https://bugzilla.mozilla.org/show_bug.cgi Cert EA: https://crt.sh/?id=54134792 Bug Blizzard: https://bugzilla.mozilla.org/show_bug.cgi?id=1425166 Cert Blizzard: https://crt.sh/?id=277776142 -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy