Xbox Live Private Digital Certificate Disclosed Online
It has been recently revealed that a private SSL certificate relating to the Xbox Live has been leaked to the public. The news came out through the TechNet Blog of Microsoft itself where they have also explained the implications of this.
The post basically confirms the private digital certificate getting disclosed online before explaining that “it cannot be used to issue other certificates, impersonate other domains, or sign code,” which means you are mostly safe.
Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks.
The exact nature might not be known but it is expected that this is one of the many wildcard certificates that are used for authentication purposes. While the domain listed is xboxlive.com, the details also refer to Microsoft Windows directly instead of just Xbox.
However, even it posed serious threat, you do not need to worry about it too much.
In order to make sure that people don’t get frauded due to the SSL/TLS digital certificate, Microsoft has confirmed that “the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL).”
Also, there is nothing to panic about since this was not the outcome of an attack and it was also not due to a vulnerability. As Microsoft itself has clarified, the Xbox Live Private Digital Certificate was “inadvertently disclosed” to the public by their own mistake which they caught themselves.
In case you are interested in all the technical details of the matter, you can check out the detailed advisory post that Microsoft has put up on their TechNet website.