Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-07-26 Thread Jakob Bohm via dev-security-policy
On 25/07/2017 14:58, simon.wat...@surevine.com wrote: On Tuesday, 20 June 2017 10:43:37 UTC+1, Nick Lamb wrote: On Tuesday, 20 June 2017 05:50:06 UTC+1, Matthew Hardeman wrote: The right balance is probably revoking when misuse is shown. Plus education. Robin has stated that there _are_

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-07-25 Thread simon.waters--- via dev-security-policy
On Tuesday, 20 June 2017 10:43:37 UTC+1, Nick Lamb wrote: > On Tuesday, 20 June 2017 05:50:06 UTC+1, Matthew Hardeman wrote: > > The right balance is probably revoking when misuse is shown. > > Plus education. Robin has stated that there _are_ suitable CA products for > this use case in

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-27 Thread reisinger.nate--- via dev-security-policy
That's a good point. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread randomsyseng--- via dev-security-policy
> Moral of the story, if you have to ask if it's a disclosure, you are better > safe than sorry and keeping the info under close wraps until you confirm it. I think it's better it was disclosed than had it not been disclosed at all. While I agree to an extent that there could have been more

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread reisinger.nate--- via dev-security-policy
On Tuesday, June 20, 2017 at 12:52:02 PM UTC-4, Lee wrote: > On 6/20/17, mfisch--- via dev-security-policy > wrote: > > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: > >> On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via > >>

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread mfisch--- via dev-security-policy
On Tuesday, June 20, 2017 at 2:27:10 PM UTC-4, mfi...@fortmesa.com wrote: > On Tuesday, June 20, 2017 at 2:06:00 PM UTC-4, Jonathan Rudenberg wrote: > > > On Jun 20, 2017, at 10:36, mfisch--- via dev-security-policy > > > wrote: > > > > > > On Monday, June

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread mfisch--- via dev-security-policy
On Tuesday, June 20, 2017 at 2:06:00 PM UTC-4, Jonathan Rudenberg wrote: > > On Jun 20, 2017, at 10:36, mfisch--- via dev-security-policy > > wrote: > > > > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: > >> On Sun, Jun 18, 2017 at

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread Jonathan Rudenberg via dev-security-policy
> On Jun 20, 2017, at 10:36, mfisch--- via dev-security-policy > wrote: > > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: >> On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via >> dev-security-policy wrote: >>> If you should

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread troy.fridley--- via dev-security-policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick, I misspoke in my reply. The certificate has been revoked and it has not been re-issued. We have filed a post-stopping defect (Cisco Bug ID CSCve90409) against the product to ensure that the issue is not re-introduced. The certificate in

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread Lee via dev-security-policy
On 6/20/17, mfisch--- via dev-security-policy wrote: > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: >> On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via >> dev-security-policy wrote: >> > If you should find such an issue again

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread mfisch--- via dev-security-policy
On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: > On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via > dev-security-policy wrote: > > If you should find such an issue again in a Cisco owned domain, please > > report it to ps...@cisco.com and we will ensure that prompt

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread Nick Lamb via dev-security-policy
On Tuesday, 20 June 2017 05:50:06 UTC+1, Matthew Hardeman wrote: > The right balance is probably revoking when misuse is shown. Plus education. Robin has stated that there _are_ suitable CA products for this use case in existence today, but if I didn't know it stands to reason that at least

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-19 Thread Matthew Hardeman via dev-security-policy
On Monday, June 19, 2017 at 11:40:22 PM UTC-5, Tom Ritter wrote: > So at what point does the CA become culpable to misissuance in a case > like this? Is it okay that we let them turn a blind eye to issuing or > reissuing certificates where they have a strong reason to believe the > private key

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-19 Thread Tom Ritter via dev-security-policy
On 19 June 2017 at 08:28, Samuel Pinder via dev-security-policy wrote: > Therefore the newly re-issued > certificate *will* end up with it's private key compromised *again*, > no matter how well it may be obfuscated in the application, it is > still against

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-19 Thread Matt Palmer via dev-security-policy
On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via dev-security-policy wrote: > If you should find such an issue again in a Cisco owned domain, please > report it to ps...@cisco.com and we will ensure that prompt and proper > actions are taken. I don't know, this way seems to have

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-19 Thread Matthew Hardeman via dev-security-policy
I wonder if the device intercepts DNS queries within the LAN for that address and substitutes in the IP of the appliance instead of 127.0.0.1. Is it often deployed as the customer premise NAT/router in addition to serving video purposes? I'm thinking they probably wanted some other devices or

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-19 Thread Samuel Pinder via dev-security-policy
There's more than just a clue in the name drmlocal.cisco.com , if one looks up this address in the DNS it returns the loopback IP 127.0.0.1 . http://dnstools.ws/tools/lookup.php?host=drmlocal.cisco.com=A This can only mean that this address is fully intended to be referred to only by one's own

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-18 Thread Daniel Cater via dev-security-policy
This is now on crt.sh here: https://crt.sh/?id=156475584=cablint,x509lint This is indeed a key compromise event, thanks for the level of detail provided. An attacker in control of a network could use this to impersonate https://drmlocal.cisco.com/ and leverage that to potentially steal a user's

Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-18 Thread Koen Rouwhorst via dev-security-policy
Hi all, Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain