Mistakes happen, and we live in a world where each individual is imperfect (and thus, will make a mistake every now and then). The problem in some cases, however, is that some individuals make mistakes that have huge impact – with consequences that they either cannot foresee or consequences they can foresee in light of becoming cognizant of the mistake.
Such is the case for tech company Microsoft, who accidentally disclosed the private keys for an Xbox Live digital certificate and have now had to invalidate the certificate in order to prevent a massive data breach within its Xbox user base: “to help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate,” Microsoft wrote in an official disclosure to the public.
In addition to the risks around this certificate, Microsoft notes that the private keys could be used for man-in-the-middle attacks.
To wrap our minds around this, we must understand what a digital certificate is, as well as private keys and man-in-the-middle-attacks. We’ll start with a digital certificate and work our way around.
What is a digital certificate?
A digital certificate, known also as a public key certificate or identity certificate, is an electronic document that allows a website visitor to trust a webpage. If a digital certificate is signed by a trusted company, the individual in question will feel comfortable using the site and avoiding malware, viruses, ransomware, and so on. Each digital certificate, though, brings something called private keys, as private keys are necessary to create a digital certificate. In this case, Microsoft had the private keys to Xbox Live, by which it was able to disclose them. Companies can’t disclose private keys to a digital certificate if they don’t own them.
What are private keys?
Private keys are referred to as “private” in order to remind customers and companies that these should stay “private,” but one can think of them the same way that you think of your car and house keys: just as your car keys give you private access to your vehicle or home and should be off limits to everyone else, so should private keys. In other words, anyone with access to these private keys can obtain access to forbidden places or things. Microsoft’s accidental disclosure of the private keys for Xbox Live means that it has given hackers access to the digital certificate for Xbox Live. Microsoft has now rendered the digital certificate useless, but it could have been used by a hacker to gain usernames, passwords, credit card/debit card information, and other pertinent user data that could then be accessed remotely or sold on the black market.
Should a hacker or group of hackers get their hands on these private keys, and the digital certificate remain valid, they could deceive anyone into thinking their website is the “real” Xbox Live site. The moment you type in your financial and personal information, hackers gain easy access to your money, account, and anything else about you they can uncover (social media accounts included).
What are man-in-the-middle attacks?
Man-in-the-middle attacks, or MITM, refers to the interception of private messages by a hacker or group of hackers who gain power to relay messages back and forth in conversation. While this is known as active eavesdropping, it is an example of a man-in-the-middle attack. Another MITM consists of a situation where a hacker intercepts a conversation, retrieves the key of a participant, and uses it to rewrite or modify a message sent between two other persons. The message could be “buy your ticket for the concert,” but the hacker could modify the message to say “give me the money for the ticket,” with the hacker using the message interception to get some money out of an innocent participant without his or her knowledge.
What the Microsoft disclosure means for Xbox Live customers
The Xbox Live customer base could become a victim to the MITM attack, considering all of the above. This is what led Microsoft to declare what was once a valid digital certificate invalid and to block the validity of the now-declared invalid certificate for its users. The MITM attack could’ve taken the form of intercepted and rerouted messages and disguised them as his or her own.
The good news is that Microsoft has taken care of this, but until everything seems in the clear, it is wise to keep an eye on your Xbox Live account if you’re a hardcore gamer. While Xbox Live is all about games, hackers and remote hacking is no game.