Bulletproof TLS Newsletter #29
Cisco and Spotify ship private keys in applications
29 June 2017
Author: Hanno Böck

This issue was distributed to 37,751 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Cisco and Spotify ship private keys in applications
  2. Short news

Cisco and Spotify ship private keys in applications

Several cases of the problematic practice of shipping private keys within applications have been discovered lately. Koen Rouwhorst found that the Sky NOW TV Player shipped with a certificate for a domain owned by Cisco and the corresponding private key. Shortly thereafter, Annie Nguyen reported that an application by Spotify had a very similar problem. Several previous cases existed, involving Github, Dropbox, and Discord, but all those certificates were previously known and already revoked.

In most of these cases, the intent of the certificate is for an application to open a local web server so that a web service from a company can communicate with the server within a browser. As ever-increasing numbers of web pages move to HTTPS, this process will be blocked if the local server doesn’t have a valid certificate.

However, the Baseline Requirements of the CA or browser forbid such practices. If a private key becomes public, then the corresponding certificate is revoked.

Discussions are ongoing about whether browsers should treat localhost IPs such as as secure origins even if they are delivered over unencrypted HTTP. Future browsers might allow this practice without a need for shipping certificates and keys.

Short news