Hi! I'm not sure if this is the correct place to ask (I'm not sure where else I would ask). I'm so sorry if this message is unwanted.
Earlier this week, a certificate for a domain resolving to 127.0.0.1 in a Cisco application was revoked, because it was deemed to have been compromised. Dropbox, GitHub, Spotify and Discord (among others) have done the same thing for years: they embed SSL certificates and private keys into their applications so that, for example, open.spotify.com can talk to a local instance of Spotify (which must be served over https because open.spotify.com is also delivered over https). This has happened for years, and these applications have certificates issued by DigiCert and Comodo all pointing to 127.0.0.1 whose private keys are trivially retrievable, since they're embedded in publicly distributed binaries. - GitHub: ghconduit.com - Discord: discordapp.io - Dropbox: www.dropboxlocalhost.com - Spotify: *.spotilocal.com Here is Spotify's, for example: https://gist.github.com/venoms/d2d558b1da2794b9be6f57c5e81334f0 ---- What I want to know is: how does this differ to Cisco's situation? Why was Cisco's key revoked and considered compromised, but these have been known about and deemed acceptable for years - what makes the situation different? It's been an on-going question for me, since the use case (as a software developer) is quite real: if you serve a site over HTTPS and it needs to communicate with a local client application then you need this (or, you need to manage your own CA, and ask every person to install a certificate on all their devices) Thank you so much, Annie _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
