[cabfpub] Incident report: Internal names in certs expiring after 1st November 2015

Rob Stradling rob.stradling at comodo.com
Wed Nov 11 20:52:53 UTC 2015 

On 09/11/15 09:12, Rob Stradling wrote:
<snip>
> OTHER CAs:
> We widened our investigation to look for certificates with notBefore >=
> 2nd November 2014 that chain to publicly trusted roots and include any
> Internal Names or Reserved IP Addresses.  We found non-compliant
> certificates issued by quite a number of other CAs, but I'll document
> these in another post.

We've listed those "non-compliant certificates issued by quite a number 
of other CAs" in this spreadsheet:

https://docs.google.com/spreadsheets/d/13J1gm_3FX-K-3wgC8OuN2znevW_VzWv21ya76BK5OrM/edit?usp=sharing

Notes:

   - This report only covers certificates that include the 
id-kp-serverAuth OID in the Extended Key Usage extension and whose 
chains are currently trusted for server authentication by at least one 
of the Apple, Microsoft and Mozilla root certificate programs.

   - A few of the "Name Value"s in this report are probably not useable 
for addressing servers in a private network, but we've included them 
because they're not valid Internet domain names or Internet IP addresses 
either.

   - These certificates are known to CT.  You can view them using the 
crt.sh links in the spreadsheet.

   - We looked for reserved IPv4 addresses, but we didn't look for 
reserved IPv6 addresses.

   - The BRs defer to 
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml for 
the list of IPv4 address ranges "that the IANA has marked as reserved". 
  That page lists the 172/8 range as "LEGACY" rather than "RESERVED", so 
arguably 172.16.0.0 - 172.31.255.255 are _not_ Reserved IP Addresses 
according to the BRs.  Since 
https://en.wikipedia.org/wiki/Private_network says otherwise, I've 
included that IPv4 address range in this report.

   - Certificates that contain only Internal Names or Reserved IP 
Addresses are, by their very nature, not expected to be publicly 
discoverable, so there could be many more non-compliant certificates out 
there!

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list