[cabfpub] Incident report: Internal names in certs expiring after 1st November 2015

"Barreira Iglesias, Iñigo" i-barreira at izenpe.eus
Fri Nov 20 11:22:27 UTC 2015


In our case, these have been fixed and the certificates have been revoked. It was a request with "internal" and "external" domains in the SAN in the same request and we didn´t realized

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus 

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Rob Stradling
Enviado el: miércoles, 11 de noviembre de 2015 21:53
Para: public at cabforum.org
Asunto: Re: [cabfpub] Incident report: Internal names in certs expiring after 1st November 2015

On 09/11/15 09:12, Rob Stradling wrote:
> We widened our investigation to look for certificates with notBefore 
> >= 2nd November 2014 that chain to publicly trusted roots and include 
> any Internal Names or Reserved IP Addresses.  We found non-compliant 
> certificates issued by quite a number of other CAs, but I'll document 
> these in another post.

We've listed those "non-compliant certificates issued by quite a number of other CAs" in this spreadsheet:



   - This report only covers certificates that include the id-kp-serverAuth OID in the Extended Key Usage extension and whose chains are currently trusted for server authentication by at least one of the Apple, Microsoft and Mozilla root certificate programs.

   - A few of the "Name Value"s in this report are probably not useable for addressing servers in a private network, but we've included them because they're not valid Internet domain names or Internet IP addresses either.

   - These certificates are known to CT.  You can view them using the crt.sh links in the spreadsheet.

   - We looked for reserved IPv4 addresses, but we didn't look for reserved IPv6 addresses.

   - The BRs defer to
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml for the list of IPv4 address ranges "that the IANA has marked as reserved". 
  That page lists the 172/8 range as "LEGACY" rather than "RESERVED", so arguably - are _not_ Reserved IP Addresses according to the BRs.  Since https://en.wikipedia.org/wiki/Private_network says otherwise, I've included that IPv4 address range in this report.

   - Certificates that contain only Internal Names or Reserved IP Addresses are, by their very nature, not expected to be publicly discoverable, so there could be many more non-compliant certificates out there!

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Public mailing list
Public at cabforum.org

More information about the Public mailing list