1427034 - DigiCert: localbattle.net certificate with private key in software / issued by Digicert

Status: RESOLVED FIXED

(CA Program :: CA Certificate Compliance, task)

Description

[Hanno Boeck]

In bug #1425166 I had reported that Blizzard's battle.net application has a certificate and private key embedded for the domain localbattle.net that points to localhost, making it a key compromise.

For a few days Blizzard used a locally created CA and signed a cert from that (which is probably safe if done correctly). However it seems now they decided to go back to issuing a cert with an embedded private key, this time however from Digicert. (CCing Jeremy Rowley from Digicert, please consider this a report of a key compromise.)

This has already been reported to the public mailing list, so I'm not marking this bug private:
https://groups.google.com/d/msg/mozilla.dev.security.policy/pk039T_wPrI/VYi629oGCwAJ

Comment 1

[Hanno Boeck]

I submitted the cert to CT:
https://crt.sh/?id=287530764

Comment 2

[Wayne Thayer]

Should we add this certificate to OneCRL? Doing so would be consistent with our handling of bug #1425166, but it's not clear to me if this certificate represents much of a threat to Firefox users.

Comment 3

[Jeremy Rowley]

This was revoked, but posting to Mozilla isn't the best way to report key compromise (because I don't man bugzilla 24z7). We revoke all certs within 24 hours of confirming key compromise if it's reported to revoke@digicert.com

Comment 4

[Wayne Thayer]

J.C. and Mark, let's go ahead and add this certificate to OneCRL: https://crt.sh/?id=287530764

Comment 5

[Kathleen Wilson]

Added to OneCRL.