In the wake of the revelation that a major SSL certificate provider suffered a serious breach
, Chris Palmer from the Electronic Frontier Foundation has analysis of the common practice of issuing certificates for unqualified domain names, such as "mail" and "www" and "localhost" (an unqualified domain is one that consists of a single word, without a top- and second-level domain, e.g., "www" instead of "www.boingboing.net"). These unqualified names should never
be issued certificates, as doing so leaves anyone who makes a practice of using them within a company network vulnerable to man-in-the-middle attacks. Palmer found tens of thousands of these certificates, and sounds the alarm that if you're not using fully qualified domains for secure connections, you're very vulnerable.
Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.
Unqualified Names in the SSL Observatory
To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.
Verizon yesterday bought Yahoo, which had earlier bought Flickr, a photo-sharing site, and Tumblr, a blogging platform. Both of these places have three key qualities that raise important questions about their survival: 1) they’re both oldschool platforms locked in time because they were bought by Yahoo, 2) both still have vast, dedicated userbases, 3) both […]
Amazon.com says it has entered into a partnership with the British government to get the nation’s aviation authority approval for deliveries via small drones.
In a new working paper from the Center for Economic Policy Research, scholars look at the trading records of shareholders, directors and top executives of major financial institutions in the runup to the crash of 2007, and find that the sell-offs by the top five executives at a bank strongly correlated with that bank’s losses […]
Having to pack and drag your stuff through security can put quite the damper on your vacation plans. Thankfully, we’ve got your back with one way to make traveling more painless: the Jumper Overnighter Travel Bag.This compact bag is so lightweight that you can effortlessly carry it, and fit it into any overhead compartment. But just […]
Learning is a 24/7/365 proposition, and it never ends. And if you’re truly serious about leveling up your skill sets and career prospects, get a subscription to Stone River Academy’s massive course collection. This offer normally is worth over $1,400, but is now available for just $89 in the Boing Boing Store.A respected name in information technology […]
Home audio has taken some big leaps forward in recent years–not just in terms of sound quality, but also in the style department. The FRESHeBAR Leather Soundbar, now 56% off in the Boing Boing Store, is proof.The FRESHeBAR comes packing almost all the options you’d ever need for a home sound system, including Bluetooth streaming capabilities.The unit’s 90 […]