
Private key for *.xboxlive.com certificate disclosed - hannob
https://technet.microsoft.com/en-us/library/security/3123040
======
alanh
Personally, this makes for funny timing. As a first-time Xbox (One) owner (who
never owned any PlayStation), I was telling a friend with a PS4 how damn buggy
everything seemed to be, from setup to games themselves. She said she doesn’t
have those problems on PS4. “Maybe you should’ve gotten a PlayStation!”

“Yes, but isn’t Sony always getting hacked? Maybe the ideal thing would be a
PlayStation that uses Microsoft’s web services!”

sigh

~~~
draw_down
It's always funny to me when people say that sort of thing. Highly publicized
attacks/vulns are bad, but it's likely that any given thing we use is getting
owned all the time.

~~~
johncolanduoni
Well when we see vulnerabilities that can be traced back to boneheaded
security, it seems reasonable to have some extra concern. Like when Sony
decided to roll it's own crypto implementation for the PS3 and forgot to use
different random numbers in one part, leading to the root private keys for the
device being broken.

------
vortico
That security advisory is the longest possible way to say "Private key for
*.xboxlive.com certificate disclosed." In my half-asleep mindset, I was
expecting it to include the private key.

~~~
OJFord
Has it changed since you read it? The title says one was inadvertently
disclosed, and the first line says the one was that for *.xboxlive.com.

------
wyldfire
Thank goodness for revocation lists.

It's too bad -- they list "Affected Software" but they don't seem to disclose
when the earliest time that xboxlive.com shouldn't have been trusted.

~~~
jjp
Certificate was disallowed from December 1st.

~~~
uxp
The current certificate that I can see on (star).xboxlive.com is valid between
December 1st _2014_ and December 1st _2016_.

Is it common to issue a certificate for a year, but make it active for the
previous year as well?

~~~
blakeyrat
An Xbox One can easily sit on the shelf for 3-4, or even more, years before
being sold. Not quite the typical use-case...

~~~
FireBeyond
Using your powers of divination, given that the platform has only just had its
second birthday?

~~~
tedks
Probably entrail reading, which is more applicable to the games industry than
divination. That, and the 30 years of console sales patterns to draw on.

------
elchief
And that's why you use an HSM kids!

------
0x0
How come "Xbox" is not in the list of affected devices?

~~~
speps
It uses Windows 10 since November 2015.

~~~
scott_karana
Yes, and Windows 10 was affected, just like all the other listed OSes.

However, xbox users might not be able to make the connection. Explicit is
better than implicit for security announcements, I daresay.

> An automatic updater of certificate trust lists is included in supported
> editions of ... Windows 10 ...

------
chrisfosterelli
Can anyone elaborate on how this affects non-windows products? If I go to
[https://developer.xboxlive.com](https://developer.xboxlive.com) I see a valid
certificate, so my non-windows system trusts them. Have they revoked the old
certificate?

They only mention the certificate trust list, which I believe is a hardcoded
list of certificates that Windows trusts. I understand that they should remove
it from there but don't they also have to revoke the certificate for non-
windows systems that use the standard verification methods?

~~~
Sanddancer
What's the certificate info? Most likely, you got a valid cert. MS can give a
bit extra security for mistakes like this in their own products because they
have the keys to the castle, but everyone else will have to use the normal
infrastructure, most likely OCSP. But from the sound of things, you're already
using the new cert.

[https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol)

~~~
chrisfosterelli
I imagine I am using the new cert. My question is that if an attacker got a
hold of the past one, could I be MitM'd? They removed it from the Windows CTL
but didn't mention anything explicitly about revoking it for everyone else...

~~~
johncolanduoni
Microsoft issues its own certificates, so if they add it to their own OCSP
revocation list it will fail an OCSP check from any device. That said, many
browsers don't do OCSP checks or will just accept a certificate if the OCSP
server cannot be reached, although this was presumably an EV certificate where
that attitude is less common. I'm also guessing this made it into Chrome's
CRLSet (this kind of high profile EV revocation is exactly what it was
designed for), so if you use Chrome you're pretty likely to be okay.

edit: Actually I just checked the Chrome CRLSet, it doesn't appear to have
revocations for any certificates from "Microsoft IT SSL SHA2" :(. You can turn
on OCSP verification in most browsers, which should do it.

~~~
0x0
EV certificates can't be issued for wildcard domains, so probably not EV :)

~~~
johncolanduoni
:P forgot they said it was a wildcard (it was only in the title, you know).

------
zymhan
How exactly does this happen?

~~~
tdicola
It happens. Engineer goes to upgrade the cert and copies it to a file share
they didn't realize wasn't locked down. There's no evidence anyone malicious
got the file but it's pretty standard protocol to just assume it's tainted and
get a new cert.

~~~
meowface
I wish they would say how it was disclosed. Your scenario is bad, but less bad
than actually sending it out to the Internet, or some malware on a dev's
machine grabbing it.

~~~
eugenekolo2
I give equal likelihood to it being malware related, to somebody moving just
disabling a settings on some server that can potentially connect to the server
hosting the key.

I don't think it's somebody just posting it online, or moving it.

------
chris_wot
One word summary:

"Whoops!"

