In the wake of the revelation that a major SSL certificate provider suffered a serious breach
, Chris Palmer from the Electronic Frontier Foundation has analysis of the common practice of issuing certificates for unqualified domain names, such as "mail" and "www" and "localhost" (an unqualified domain is one that consists of a single word, without a top- and second-level domain, e.g., "www" instead of "www.boingboing.net"). These unqualified names should never
be issued certificates, as doing so leaves anyone who makes a practice of using them within a company network vulnerable to man-in-the-middle attacks. Palmer found tens of thousands of these certificates, and sounds the alarm that if you're not using fully qualified domains for secure connections, you're very vulnerable.
Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.
Unqualified Names in the SSL Observatory
To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.
The landlords at City Park Apartments stuck memos on their tenants’ doors last week, outlining a “Facebook addendum” requiring tenants to Friend the building on Facebook or lose their lease.
Ruth writes, “The link tax is back, but we have a chance to stop it. The Save the Link network are pushing back against proposals in the EU for a new hyperlinking fee (AKA ‘ancillary copyright’) that will affect us all. If lobbyists succeed copyright rules will be extended to hyperlinks – giving publishers the […]
Big telcos and cable operators demand the right to impose data caps that punish their most enthusiastic customers for using too much Internet (with exceptions to the caps made for services that have paid bribes for “preferred carriage” of course), and they say that it’s simple economics: if you use up more of a service, […]
Vaping continues to become increasingly popular, meaning there is a growing selection of premium vaping products on the market. Here’s one that should get your attention: the AtmosRX Combo Vaporizer Bundle. This top-notch bundle includes the Rx Dry Herb Vaporizer, plus a bundle of accessories and flavors. Grab it now: it’s currently 73% off in the Boing Boing Store.The Atmos […]
We’d all love a 75-inch TV screen on which to view our favorite shows. But not all of us can drop the cash needed to get one of those broadcasting beauties (or even have the space needed to house them).Thankfully, there’s an alternative. With the SainSonic Mini LED Portable Projector (only $59.99 in the Boing Boing Store), you can project a picture […]
If you want to add some real firepower to your programming repertoire, learn Java–one of the most adaptable, widely-used programming platforms around. You can easily do that with this Ultimate Java bundle, now just $69 in the Boing Boing Store.Across 14 lectures and 117 hours of content, the educators at online academy eduCBA will walk you through […]