In the wake of the revelation that a major SSL certificate provider suffered a serious breach
, Chris Palmer from the Electronic Frontier Foundation has analysis of the common practice of issuing certificates for unqualified domain names, such as "mail" and "www" and "localhost" (an unqualified domain is one that consists of a single word, without a top- and second-level domain, e.g., "www" instead of "www.boingboing.net"). These unqualified names should never
be issued certificates, as doing so leaves anyone who makes a practice of using them within a company network vulnerable to man-in-the-middle attacks. Palmer found tens of thousands of these certificates, and sounds the alarm that if you're not using fully qualified domains for secure connections, you're very vulnerable.
Although signing "localhost" is humorous, CAs create real risk when they sign other unqualified names. What if an attacker were able to receive a CA-signed certificate for names like "mail" or "webmail"? Such an attacker would be able to perfectly forge the identity of your organization's webmail server in a "man-in-the-middle" attack! Everything would look normal: your browser would use HTTPS, it would show a the lock icon that indicates HTTPS is working properly, it would show that a real CA validated the HTTPS certificate, and it would raise no security warnings. And yet, you would be giving your password and your email contents to the attacker.
Unqualified Names in the SSL Observatory
To test the prevalence of the validated, unqualified names problem, I queried the Observatory database for unqualified names similar to "exchange". (Microsoft Exchange is an extremely popular email server, and servers that run it commonly have "exchange" or "exch" in their names. Likely examples include "exchange.example.net" and "exch-01.example.com".) My results show that unqualified "exchange"-like names are the most popular type of name, overall, that CAs are happy to sign.
Larkin Jones is a hardcore Pokemon fan who loses money every year on his annual Pokemon PAX party; he makes up the shortfall from his wages managing a cafe. This year, Pokémon Company International sued him and told him that even though he’d cancelled this year’s party, they’d take everything he had unless he paid […]
With this year’s “ag-gag” law, Wyoming has made it a crime to gather evidence of agricultural wrongdoing, from illegal pollution to animal cruelty, even from public land — and also prohibits regulators from acting on information gathered in violation of the law.
Content-based App Store takedowns aren’t just for drone killing anymore: Apple’s also removed the Ifixit App, which offers you third-party manuals for fixing things you own, including your Apple products.
Power up your gadgets in the most unexpected places with the extremely compact SolarJuice battery pack. SolarJuice charges up at home like your average battery pack, but also lets you add extra juice on-the-go using its built-in solar panel—so you’ll never be left unplugged from the digital world.4.5 Stars on Amazon!Simultaneously charges 2 devices at […]
Hold your camera to higher standards with the brand-new iBlazr 2, the most advanced LED flash to date. Simply attach to your smartphone, tablet, or DSLR camera. Conveniently sized and wireless, this premium flash will let you easily take amazing photos in low light situations. It’s a literal snap to use: simply attach to your […]
Moment of truth: Is “Microsoft Office Expert” on your resume, but not totally accurate? This pay what you want bundle will not only help you brush up on old skills, but teach you advanced techniques that will impress your current and future boss. From intricate Excel formulas to Outlook organization hacks, you’ll not only boost […]