Wait... are you serious? They... actually embed the private cert somewhere? I was just laughing at the domain name.
-
-
Replying to @SwiftOnSecurity
Yes, it happens sometimes, as soon as someone pulls out the key the CA is required to revoke it. They probably did it to avoid mixed-content warnings, as you can probably guess... it's not the correct solution. Anyone using this app is vulnerable to trivial MITM
7 replies 11 retweets 268 likes -
Replying to @taviso @SwiftOnSecurity
Hm I suppose that's true then of IBM's Aspera plugin client, which uses https://local.connectme.us for the same kind of communication
1 reply 2 retweets 6 likes -
Replying to @tmslft @SwiftOnSecurity
I just took a look, Umm.. that could be way, way worse. There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL. I would consider that *critical*.
1 reply 3 retweets 29 likes -
Replying to @taviso @SwiftOnSecurity
A fun night we're all having here on Twitter dot com then
1 reply 0 retweets 17 likes -
Replying to @tmslft @SwiftOnSecurity
I really hope this isn't what it looks like, or this is another superfish.
https://pastebin.com/CKxNW3ms 3 replies 9 retweets 24 likes -
Replying to @taviso @SwiftOnSecurity
Offhand it doesn't look like it's added to the system store? So that's good. But I'm not sure why it's there
1 reply 0 retweets 0 likes -
Replying to @tmslft @SwiftOnSecurity
I can't imagine any possible way it makes sense, but you were right about the http://local.connectme.us certificate, I extracted it. This needs to be revoked now and is a real vulnerability.
https://pastebin.com/1qupxAUv 1 reply 0 retweets 12 likes -
I sent a mail to ssl_abuse@sectigo.com, I don't know if that's the correct address.
1 reply 0 retweets 3 likes -
Still not revoked. Isn't
@SectigoHQ now in violation of section 4.9.1.1 of the BRs? 24 hours have passed...2 replies 0 retweets 1 like
I think I've seen @sleevi_ say 48hrs is permitted, 24 to confirm and 24 to revoke. I did get an acknowledgement from a human.
-
-
Update: it's coming up as revoked now. That's nice on a Thursday afternoon I guess...not
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Hm, seems like there is some leeway. https://sectigo.com/uploads/files/Sectigo-CPS-v5.1.pdf … mentions for PK compromise sth about 24h, 5d, or 7d. Not sure which one applies in this case.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.