In the wake of the revelation that a major SSL certificate provider suffered a serious breach
, Chris Palmer from the Electronic Frontier Foundation has analysis of the common practice of issuing certificates for unqualified domain names, such as "mail" and "www" and "localhost" (an unqualified domain is one that consists of a single word, without a top- and second-level domain, e.g., "www" instead of "www.boingboing.net"). These unqualified names should never
be issued certificates, as doing so leaves anyone who makes a practice of using them within a company network vulnerable to man-in-the-middle attacks. Palmer found tens of thousands of these certificates, and sounds the alarm that if you're not using fully qualified domains for secure connections, you're very vulnerable.
Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.
Unqualified Names in the SSL Observatory
To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.
Yahoo’s sale to Verizon means that Yahoo’s sub-companies — Flickr, Tumblr and a host of others — are now divisions of a phone company, and as you might expect, being on the payroll of a notorious neutracidal maniac with a long history of sleazy, invasive, privacy-destroying, monopolistic, deceptive, anti-competitive, scumbag shakedowns has changed the public […]
What was last week posed as an indefinite leave of absence is now for good: Travis Kalanick, CEO of scandal-wracked rideshare company Uber, announced that he is leaving the company. “I love Uber more than anything in the world and at this difficult moment in my personal life I have accepted the investors request to […]
Chinese state media reports on a $28/RMB188 app that browses webcams whose default passwords haven’t been changed, allowing subscribers to watch the goings-on in stores, living rooms, bedrooms, children’s rooms, and anywhere a CCTV might be installed.
As the old saying goes, “You should sit in meditation for 30 minutes every day. Unless you are too busy, in which case you should meditate for an hour.” Since most of us have an endless list of things to do and people to see, carving out quiet time can feel impossible, especially when most […]
The Bragi Dash Truly Wireless Smart Earphones are far more than your run of the mill Bluetooth earbuds. While the earpiece design makes these earbuds ideal for exercise and activity, and passive noise cancelling is conducive to a more serene listening experience, these buds go well beyond just playing music.First of all, they can actually […]