Slashdot Mirror
Cisco Subdomain Private Key Found in Embedded Executable (google.com)
Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a cisco.com sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section 4.9.1.1), but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/
VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names: drmlocal.cisco.com, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked.
Why don't they study this just a bit?
"Which one is the public key and the private key? Oh, screw it. I'll include both."
If they want an HTTPS website to be able to access a local service I've installed via WebSocket, then what other option is there?
Also, this only theoretically allows an attacker to steal cookies if they're based off the company's root domain. Doesn't seem so bad.
If they want an HTTPS website to be able to access a local service I've installed via WebSocket, then what other option is there?
Have the local HTTPS server generate its own private key and then send a certificate signing request (CSR) with the public key and hostname to a certificate authority (CA).
But this in turn raises two questions: which CA, and which hostname? Let's Encrypt is limited to 20 certificates per registrable domain per week, and if all devices are on the same domain, it'll hit that rate limit fairly quickly. Is every end user supposed to pay for his own domain and pay to keep it renewed? Or is the manufacturer supposed to register a domain, run its own dynamic DNS server, give each end user a subdomain, and submit it to Mozilla's Public Suffix List (PSL) so that subdomains are considered registrable? Last I heard, the PSL had such a backlog that adding a domain took months.
Also, this only theoretically allows an attacker to steal cookies if they're based off the company's root domain.
Then the domain used for the dynamic DNS service should differ from the domain used for the company's customer service web application. It's why Google serves works uploaded by users from the domain googleusercontent.com.
there's the additional problem of the HTTPS server not being reachable from the outside at all.
ACME as implemented by Let's Encrypt supports a cleartext HTTP challenge and a DNS challenge. A user obtaining a certificate can use either of these to prove domain control. Only the cleartext HTTP challenge requires the server to be "reachable from the outside". The DNS challenge requires that the device requesting the certificate have control over TXT records associated with the requested hostname, which is true of any dynamic DNS implementation.
"It takes a few weeks to process requests" according to Rate Limits. So I don't see how it'd necessarily be faster than a PSL addition.
Other than DRM there is no point in the encryption with localhost communication for a video player app.
The other point is to satisfy the mixed active content blocking policy of major web browsers. If the outer page is HTTPS, all requests it makes must also be HTTPS. Or do you consider the mixed active content blocking policy itself pointless?
The DNS lookup is insecure and can be easily hijacked on the network. The SSL Certificate and its corresponding Keypair is what controls access of HTTPS connections to be associated with a given hostname..
Your ramblings have nothing to do with how this certificate would actually be used in the real world.
drmlocal.cisco.com is what hands out the permissions to view (or not view) videos this app streams.
It would be the computer and network owner setting up the proxy, so whatever you're going on about as some local insecurity has what to do with that again?
The security problem is with cisco, not the user!
I would setup my own proxy, on my own network, using my own credentials. /etc/hosts equivalent redirect for cisco's domain on my own computer to point to my own proxy.
I would then setup my own
With this private key, the application will now trust any response my own server sends the app.
It will of course be configured to always say "Yes that person has permission to stream whatever video it was you mentioned"
If cisco has specified I do not have permission to stream a video on their servers, because you know, I don't have permission and didn't buy it, this setup will allow me to stream and watch it.
How on earth do you figure that isn't a security compromise from cisco's point of view???
I don't know that many people who habe domains just for their own devices at home ...
The manufacturer of such a device is expected to follow the following steps:
1. Register a domain for devices to use.
2. Submit this domain to Mozilla's Public Suffix List so that cookies and certificates from one device don't leak to others.
3. Issue a subdomain of this domain to each device.
4. Operate a dynamic DNS service so that devices can set their AAAA and TXT records.
The cost of steps 1 and 4 would be rolled into the price of each device.
Sure, it's technically possible, but it's also possible for the user to operate their own CA
It may not be possible for the user to configure a particular device to trust his own CA's root certificate. For example, under Android 7 "Nougat", an application will not trust user-added root certificates unless the application's developer has opted in, and there's no rule that all web browser developers must opt in. See "Changes to Trusted Certificate Authorities in Android Nougat" by Chad Brubaker