In the wake of the revelation that a major SSL certificate provider suffered a serious breach
, Chris Palmer from the Electronic Frontier Foundation has analysis of the common practice of issuing certificates for unqualified domain names, such as "mail" and "www" and "localhost" (an unqualified domain is one that consists of a single word, without a top- and second-level domain, e.g., "www" instead of "www.boingboing.net"). These unqualified names should never
be issued certificates, as doing so leaves anyone who makes a practice of using them within a company network vulnerable to man-in-the-middle attacks. Palmer found tens of thousands of these certificates, and sounds the alarm that if you're not using fully qualified domains for secure connections, you're very vulnerable.
Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.
Unqualified Names in the SSL Observatory
To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.
Robbo writes, “Lloyd Kaufman is best known as the uber super epic producer/director who runs Troma Films, creators of such cinema icons as ‘The Toxic Avenger’ and ‘Surf Nazis Must Die.’ Lloyd is also a die-hard advocate for Net Neutrality and he has posted an article to the Huffington Post entitled: Innovation And Our Better […]
The Mirai worm made its way into information security lore in September, when it was identified as the source of the punishing flood of junk traffic launched against Brian Krebs in retaliation for his investigative reporting about a couple of petty Israeli criminals; subsequent analysis showed Mirai to be amateurish and clumsy, and despite this, […]
James Cawley is a 50 year old Elvis impersonator from Ticonderoga, NY; his friend William Ware Theiss was costume-designer for the original Star Trek series, and left Cawley the blueprints for the original Star Trek Enterprise sets in his will — so Cawley rented out a 13,000 sqft shuttered supermarket and built an exquisite replica […]
These days, there’s definitely no shortage of touchscreen gloves available, but the key is finding ones that consistently work well. These iGloves Touchscreen Gloves are super reliable, and are on sale for just $11.99.Super comfortable and functional, these gloves will keep your hands warm and still let you use any touchscreen, from phones to tablets. The iGloves’ […]
The Black Friday Mac Bundle 2.0 is one of the Boing Boing Store’s best-selling Mac bundles yet, and it’s about to come to an end. If you don’t get your copy now, here’s what you’ll be missing:This bundle comes packing 9 top-rated Mac apps in one package, at the hugely discounted price of just $23.99. […]
The Boing Boing Store’s Gift Guide is full of ideas for pretty much anyone in your life like hipster ice cub trays, Xbox controllers, Halo Boards, and even diamond necklaces. As always, all products in the Boing Boing Store come at great discounts, too. Shop by price bucket starting at under $20. Under $20:Bloxx Jumbo Ice Trays […]