As a follow-up, The certificate was revoked about 2 hours ago: https://crt.sh/?id=300288180&opt=ocsp
-----Original Message----- From: Doug Beattie Sent: Tuesday, December 11, 2018 8:09 AM To: 'dev-security-policy@lists.mozilla.org' <dev-security-policy@lists.mozilla.org> Cc: 'Xiaoyin Liu' <xiaoyi...@outlook.com>; Mark Steward <markstew...@gmail.com> Subject: RE: SSL private key for *.alipcsec.com embedded in PC client executables Thank you for this report. We've verified disclosure of the private key for this certificate and have notified the customer that their certificate will be revoked. Due to the large customer impact, we're provided them 24 hours to get new client executables prepared and ready for download by their customers. We'll post a message when the certificate has been revoked. https://crt.sh/?id=300288180 Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Xiaoyin Liu via dev-security-policy Sent: Tuesday, December 11, 2018 6:52 AM To: Mark Steward <markstew...@gmail.com> Cc: dev-security-policy@lists.mozilla.org Subject: Re: SSL private key for *.alipcsec.com embedded in PC client executables Thank you for your helpful reply, Mark! Finally I found the key in memory too. I sent another report with the private key to Alibaba. Hopefully they will take actions. If Alibaba doesn't reply me tomorrow, I will report to GlobalSign. Best, Xiaoyin ________________________________ From: Mark Steward <markstew...@gmail.com> Sent: Tuesday, December 11, 2018 3:24:21 PM To: xiaoyi...@outlook.com Cc: dev-security-policy@lists.mozilla.org Subject: Re: SSL private key for *.alipcsec.com embedded in PC client executables This time it's just hanging around in memory, no need to do anything about the anti-debug. $ openssl x509 -noout -modulus -in 300288180.crt|md5sum f423a009387fb7a306673b517ed4f163 - $ openssl rsa -noout -modulus -in alibaba-localhost.key.pem|md5sum f423a009387fb7a306673b517ed4f163 - You can verify that I've signed lorem ipsum with the following: $ wget https://crt.sh/?d=300288180 -O 300288180.crt $ wget https://rack.ms/b/UsNQv74sfH40/msg.txt{,.sig-sha256.b64} $ openssl dgst -sha256 -verify <(openssl x509 -in 300288180.crt -pubkey -noout) -signature <(base64 -d msg.txt.sig-sha256.b64) msg.txt As the domain name suggests, this is part of the AlibabaProtect/"Alibaba PC Safe Service" that comes bundled with the Youku client. Mark Mark On Tue, Dec 11, 2018 at 5:37 AM Xiaoyin Liu via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > Hello, > > I think I found a SSL certificate misuse issue, but I am not sure if this is indeed a misuse, so I want to ask about it on this list. > > Here is the issue: After I installed Youku Windows client (https://pd.youku.com/pc, installer: https://pcclient.download.youku.com/youkuclient/youkuclient_setup_7.6.7.1122 0.exe), it starts a local HTTPS server, listening on localhost:6691. Output of "openssl s_client -connect 127.0.0.1:6691" indicates that this local server uses a valid SSL certificate, issued to "Alibaba (China) Technology Co., Ltd." CN=*.alipcsec.com, and issued by GlobalSign. It's a publicly trusted OV cert, and is valid until Jan 13, 2019. Later, I found that local.alipcsec.com resolves to 127.0.0.1, and https://local.alipcsec.com:6691/ is used for inter-process communication. > > It's clear that the private key for *.alipcsec.com is embedded in the executable, but all the executables that may embed the private key are packed by VMProtect, and the process has anti-debugging protection. I tried plenty of methods to extract the private key, but didn't succeed. I reported this to Alibaba SRC anyway. They replied that they ignore this issue unless I can successfully extract the key. > > So is this a certificate misuse issue, even if the private key is obfuscated? If so, do I have to extract the private key first before the CA can revoke the cert? > > Thank you! > > Best, > Xiaoyin Liu > > Here is the certificate: > -----BEGIN CERTIFICATE----- > MIIHTjCCBjagAwIBAgIMCpI/GtuuSFspBu4EMA0GCSqGSIb3DQEBCwUAMGYxCzAJ > BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH > bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g > RzIwHhcNMTgwMTEyMDgxMTA1WhcNMTkwMTEzMDgxMTA1WjB7MQswCQYDVQQGEwJD > TjERMA8GA1UECBMIWmhlSmlhbmcxETAPBgNVBAcTCEhhbmdaaG91MS0wKwYDVQQK > EyRBbGliYWJhIChDaGluYSkgVGVjaG5vbG9neSBDby4sIEx0ZC4xFzAVBgNVBAMM > DiouYWxpcGNzZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA > 9PJcPzpUNRJeA8+YF8cRZEn75q+fSsWWkm6JfIlOKorYXwYJB80de4+Bia3AgzfO > wqwWfPGrRYh5OY4ujjsKF5XkWG22SLlzi5xB9zAeVKHYTo2U6aKrKnht9XyYvnZX > ocIuaSxkqq4rQ9UwiEYB6lvy8RY1orYu33HtrGD5W3w9SWf2AwB0rCNp0BeSRaGB > JEEXzgVECbL+deJZgZflae1gQ9q4PftDHuGXLNe8PLYq2D4+oKbYvbYtI9WKIMuh > 1dL70QBbcW0y4jFr2/337H8/KhBaCb3ZBZQI4LUnYL8RVeAVJFpX/PuiHMh9uNTm > oW1if7XQswJCWx3td5tWiwIDAQABo4ID5TCCA+EwDgYDVR0PAQH/BAQDAgWgMIGg > BggrBgEFBQcBAQSBkzCBkDBNBggrBgEFBQcwAoZBaHR0cDovL3NlY3VyZS5nbG9i > YWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdhbml6YXRpb252YWxzaGEyZzJyMS5jcnQw > PwYIKwYBBQUHMAGGM2h0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9nc29yZ2Fu > aXphdGlvbnZhbHNoYTJnMjBWBgNVHSAETzBNMEEGCSsGAQQBoDIBFDA0MDIGCCsG > AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAI > BgZngQwBAgIwCQYDVR0TBAIwADBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3Js > Lmdsb2JhbHNpZ24uY29tL2dzL2dzb3JnYW5pemF0aW9udmFsc2hhMmcyLmNybDAn > BgNVHREEIDAegg4qLmFsaXBjc2VjLmNvbYIMYWxpcGNzZWMuY29tMB0GA1UdJQQW > MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUoIFBQJomlUEiLibD+luC > PKGhbykwHwYDVR0jBBgwFoAUlt5h8b0cFilTHMDMfTuDAEDmGnwwggH0BgorBgEE > AdZ5AgQCBIIB5ASCAeAB3gB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM22 > 7L7MAAABYOlsKGEAAAQDAEcwRQIhANem+QHeaxpf7wmjtQe6rdbf5o/JKiM6aVgy > 0gnJk/UTAiBNZ0newmCtHi/f1uzmmzWNeVIl4apUko2yChwTUJObMAB1AKS5CZC0 > GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABYOlsJ/wAAAQDAEYwRAIgUAxl > oaOwXSSPUdDmix7rwcaD2/QAiQcj0Iij14ZB5dMCIG0hAMD7iukwI28DIgy+StxR > 2B1LB1PLyMGa1ByTxyx6AHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ > 0N0AAAFg6WwodQAABAMARjBEAiB5dRrIvSx5euaya6RItzL6bbRt4QtLj3XbrU5d > hpLOqgIgTTN315YeiNg+dYmtCCCU1OG56IhScJsP0Kac+JmrI98AdgDuS723dc5g > uuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAWDpbCrrAAAEAwBHMEUCIAvmesN/ > F1V57QuX69pubfx7pW2tCJRHREznZOZbEniVAiEA37SmlQQYZhAUFJ02dE5SfNlE > uDVMtvvBM4qrhWm+SvkwDQYJKoZIhvcNAQELBQADggEBAIEPnMZ0HBnwXJNoEDEz > K0afVI5xtNgONjV5QViIgGWaqG+sKjLHjxU040gXPi7ycSKlgbEOF4WE5jvLLFBS > 890txX4kpLJhcsCHyomwCrTe6V83f20zBa50svQau2L0pnOeeFbAsDAM4PsvaABp > ziT6keCFUGyfrZCsjJWroT4gco74H+Ra8zLf4MTx9yJ65ERZabJZxD4n6V7tWc6U > Ey2Tyjx9STCJXnNoogre+gh149nQJR4waUwxEicQDMpGOmEpFMoBAULPrPXksaGI > T5xbQd74wqC01awRP20+QxHIcQHrEDQUM9GfqJgo8Z4cjNss4PNxTu3jupgS16mA > K0o= > -----END CERTIFICATE----- > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy