360 Response to Security Incident: Private Key Exposure Due to Business Error, Certificate Restricted to Local Use Only Revoked

According to 1M AI News's monitoring, the 360 Security Team responded to the OpenClaw wildcard certificate and private key leak incident, stating that it was a business mistake to include an internal domain certificate in the installation package. The involved certificate *.myclaw.360.cn actually resolves to 127.0.0.1 localhost loopback address, used only on the user's machine and not externally accessible.

After receiving reports from multiple security researchers, 360 has applied for revocation of the certificate. The certificate is now invalid and cannot be used for any legitimate HTTPS encrypted communication, with no impact on regular users. The theoretical risk of man-in-the-middle attacks during the leak period still exists, but due to the fact that the certificate corresponds to a service running only in the local environment, the actual risk is relatively limited.