In the wake of the revelation that a major SSL certificate provider suffered a serious breach
, Chris Palmer from the Electronic Frontier Foundation has analysis of the common practice of issuing certificates for unqualified domain names, such as "mail" and "www" and "localhost" (an unqualified domain is one that consists of a single word, without a top- and second-level domain, e.g., "www" instead of "www.boingboing.net"). These unqualified names should never
be issued certificates, as doing so leaves anyone who makes a practice of using them within a company network vulnerable to man-in-the-middle attacks. Palmer found tens of thousands of these certificates, and sounds the alarm that if you're not using fully qualified domains for secure connections, you're very vulnerable.
Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.
Unqualified Names in the SSL Observatory
To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.
Ireland offered Apple huge tax breaks, but didn’t give other companies the same deal. The European Commission concluded this was illegal and the company must pay up the €13bn it would otherwise have owed in taxes. The Commission said “selective treatment” allowed Apple to pay tax rate of 1% on European Union profits in 2003 […]
Legalist is a startup founded by Thiel Fellow Eva Shang and Christian Haigh, backed by Y Combinator: it will use data-mining to identify people who have been legally wronged by deep-pocketed aggressors and offer to finance their litigation in return for a share of the winnings.
The new Ikea Catalog is making a big bet on very small living spaces — the kind of place that costs more than half your monthly salary but is too small for a dinner-table, let alone a separate room for your kids, who are supposed to sleep in a bunk-bed in the living room (“Why […]
Finding quality icons is a challenge for designers, and can also get pretty costly if you use them often. And when you’ve got a lot to do, the last thing you want to spend your time on is creating new icons from scratch That’s why we recommend using the Noun Project ($49). Noun Project is a site […]
While Netflix and Hulu have seemingly dominated the streaming market with their limited selections, we’ve looked a little outside the box and found something pretty great as an alternative. SelectTV combines all the content of cable with the convenience of streaming, and it’s affordable too.SelectTV is an online subscription service that packs an impressive library of over […]
These days, the vape market is saturated with low-quality products, making it nearly impossible to separate the gems from the duds. The Atmos Rx Dry Herb Vaporizer stands out from crowd for two reasons: its impressive battery life and durable construction. This high-end little gadget is compact enough to fit in your pocket, and packs a powerful punch, […]