HTTPS certificates with forbidden domains issued by “quite a few” CAs

(credit: Ed Yourdon)

Browser-trusted certificate authority (CA) Comodo said it mistakenly issued transport layer security credentials for "mailarchive," "help," and at least five other forbidden names and warned that "quite a number" of unnamed competitors have committed similar violations.

The non-compliant certificates are forbidden under the baseline requirements enforced by the CA Browser Forum, an industry group of CAs and browser makers that establish rules CAs must follow for their digital certificates to be trusted in Chrome, Internet Explorer, and other major browsers. The rules forbid the issuance of certificates for internal names that aren't part of a valid Internet domain name or for a reserved IP address such as 192.168.1.1.

The rules are designed to prevent the issuance of certificates for names such as “exchange,” “mailserver,” “domain," or "localhost," which many operating systems and organizations use to designate internal servers or other resources. The regulations similarly bar certificates for public IP addresses reserved for routers or other internal resources inside a home or organization network. A CA-issued certificate for something as generic as "mailserver" or "192.168.1.1," for instance, could be used to spy on or impersonate any resource that used that name or IP address. The baseline requirements bar all CAs from issuing certificates with such internal names or IP addresses and expire after November 1, 2015.

Read 5 remaining paragraphs | Comments