Facepalm: Valid certificates are a crucial component of Transport Layer Security and Secure Sockets Layer protocols. When properly managed, they establish and validate the chain of trust that sustains encrypted traffic across the modern web. Chinese company Qihoo 360 recently demonstrated how a single certificate-related error can compromise the security of an entire infrastructure.
Qihoo 360 recently shipped its 360 Security Claw AI assistant, a tool designed to rein in the viral AI agent OpenClaw. However, the installer contained a private SSL certificate associated with the company's internet domain. Criminals and security researchers could theoretically exploit this certificate to compromise Qihoo 360's infrastructure, although the company is likely to invalidate it soon.
As security researcher and W3C consultant Lukasz Olejnik explained, an SSL private key functions like a "master password" for a website's encrypted connections. The leaked SSL certificate applies to the myclaw.360.cn domain, is valid until April 2027, and covers all subdomains hosted on the platform. With the private certificate now publicly exposed, fraudsters and cyber criminals could use it to impersonate Qihoo 360 online.
A private SSL certificate can also be abused to silently intercept user traffic, create convincing login pages for phishing campaigns, or even take control of the AI agent wrapper. Qihoo 360 introduced 360 Security Claw AI as a tool designed to protect user credentials, while the original OpenClaw bot has a reputation for compromising users' digital lives and causing irrecoverable security issues.
– Lukasz Olejnik (@lukOlejnik) March 16, 2026
The certificate still appears to be valid, and the company has yet to issue an official statement about the embarrassing security incident. Most likely, the leaked certificate will soon be revoked and replaced with a new key.
Olejnik highlighted the massive reach of Qihoo 360, a company serving hundreds of millions of users in China and abroad. This "Chinese McAfee," which dominates its domestic market, has a $10 billion valuation but apparently, no one checked the public Zip archive containing the SSL certificate before the release.
Qihoo 360 is also a highly controversial organization. Forbes has described it as a litigious company involved in several anti-competition lawsuits. The company has previously been accused of embedding secret backdoors in its 360 Secure Browser, and more recently, security researchers found that popular Android VPN apps had undisclosed ties to the Chinese giant.
Qihoo 360 accidentally exposed a private SSL key, putting its platform at risk
