[cabfpub] Incident report: Internal names in certs expiring after 1st November 2015
rob.stradling at comodo.com
Wed Nov 11 13:52:53 MST 2015
On 09/11/15 09:12, Rob Stradling wrote:
> OTHER CAs:
> We widened our investigation to look for certificates with notBefore >=
> 2nd November 2014 that chain to publicly trusted roots and include any
> Internal Names or Reserved IP Addresses. We found non-compliant
> certificates issued by quite a number of other CAs, but I'll document
> these in another post.
We've listed those "non-compliant certificates issued by quite a number
of other CAs" in this spreadsheet:
- This report only covers certificates that include the
id-kp-serverAuth OID in the Extended Key Usage extension and whose
chains are currently trusted for server authentication by at least one
of the Apple, Microsoft and Mozilla root certificate programs.
- A few of the "Name Value"s in this report are probably not useable
for addressing servers in a private network, but we've included them
because they're not valid Internet domain names or Internet IP addresses
- These certificates are known to CT. You can view them using the
crt.sh links in the spreadsheet.
- We looked for reserved IPv4 addresses, but we didn't look for
reserved IPv6 addresses.
- The BRs defer to
the list of IPv4 address ranges "that the IANA has marked as reserved".
That page lists the 172/8 range as "LEGACY" rather than "RESERVED", so
arguably 172.16.0.0 - 172.31.255.255 are _not_ Reserved IP Addresses
according to the BRs. Since
https://en.wikipedia.org/wiki/Private_network says otherwise, I've
included that IPv4 address range in this report.
- Certificates that contain only Internal Names or Reserved IP
Addresses are, by their very nature, not expected to be publicly
discoverable, so there could be many more non-compliant certificates out
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public