Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Questionable EV cert - same cert used for about 50 different companies.

276 views
Skip to first unread message

John Nagle

unread,
Apr 20, 2012, 11:45:58 AM4/20/12
to mozilla-dev-s...@lists.mozilla.org
The cert returned by "https://www.adm.com" (Archer Daniels Midland),
has the list of over 50 alt names shown below.

The cert was issued by DigiCert High Assurance CA-3 to:

CN = ssl.cdngc.net
O = CDNetworks Inc.
L = San Jose
ST = California
C = US

That's under DigiCert High Assurance EV Root CA, which is under
GTE CyberTrust Global Root.

Serial number is 07:CC:C2:57:21:53:20:92:B8:69:8D:2E:96:8A:D3:FF.

It is an EV cert. OID 2.16.840.1.114412.1.1, in the Mozilla root
cert list at

http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp.
Yet it doesn't have all the fields required
of an EV cert. It's not clear whether it's an EV cert or not.
EV and non-EV certs aren't supposed to be issued by the same root.

The long list of names does not include "www.adm.com", so Mozilla
rejects the cert. However, try one of the names below, such
as

https://www.mrporter.com
or https://www.gendcom.gendarmerie.interieur.gouv.fr

Yes, the French police are using a cert issued to a Korean content
network.

These sites return the same cert, and Mozilla accepts it for
those sites. Mozilla gives it a blue bar.

The actual subject of the cert is a content delivery network in Korea.

CDNetworks Co., LTD.
Handong Bldg 67F 8287YeoksamDong GangnamGu
Seoul, Seoul 135935
KR

What's going on here, and does it need to be stopped?

John Nagle
SiteTruth


Not Critical
DNS Name: ssl.cdngc.net
DNS Name: ssl.cdnetworks.net
DNS Name: ocsp.us.cdnetworks.com
DNS Name: cdn.shopify.com
DNS Name: cdn0.minted.com
DNS Name: login.remedyint.com
DNS Name: media.yoox.biz
DNS Name: radialpointsecure.cdnetworks.net
DNS Name: s1.quibidscdn.com
DNS Name: content.etilize.com
DNS Name: www.mrporter.com
..... List shortened to avoid problems with spam filter...
..... There are over 50 DNS names in this cert. ....
DNS Name: static.weibo.com
DNS Name: js.virginaustralia.com
DNS Name: img.virginaustralia.com
DNS Name: css.virginaustralia.com
DNS Name: netaporterll3.sslcs.cdngc.net
DNS Name: pad.cdn.codemasters.com

Eddy Nigg

unread,
Apr 20, 2012, 12:02:12 PM4/20/12
to mozilla-dev-s...@lists.mozilla.org
On 04/20/2012 06:45 PM, From John Nagle:
> Serial number is 07:CC:C2:57:21:53:20:92:B8:69:8D:2E:96:8A:D3:FF.
>
> It is an EV cert. OID 2.16.840.1.114412.1.1, in the Mozilla root
> cert list at

Just a short observation, the Digicert EV OID appears to be
2.16.840.1.114412.2.1 and not as stated above or in the certificate.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

Erwann Abalea

unread,
Apr 20, 2012, 1:24:31 PM4/20/12
to mozilla-dev-s...@lists.mozilla.org
Le vendredi 20 avril 2012 17:45:58 UTC+2, John Nagle a écrit :
> The cert returned by "https://www.adm.com" (Archer Daniels Midland),
> has the list of over 50 alt names shown below.

I don't get the same certificate from France on this URL. What I get is a certificate for "*.pantherssl.com". Non-EV, but delivered by the EV intermediate CA.

> The cert was issued by DigiCert High Assurance CA-3 to:
>
> CN = ssl.cdngc.net
> O = CDNetworks Inc.
> L = San Jose
> ST = California
> C = US
>
> That's under DigiCert High Assurance EV Root CA, which is under
> GTE CyberTrust Global Root.
>
> Serial number is 07:CC:C2:57:21:53:20:92:B8:69:8D:2E:96:8A:D3:FF.
>
> It is an EV cert. OID 2.16.840.1.114412.1.1, in the Mozilla root
> cert list at

As Eddy noticed, this is not the EV OID declared for this root.

The chain goes up to 3 trust anchors:
- DigiCert High-Assurance EV Root CA (EV OID: 2.16.840.1.114412.2.1)
- Entrust.net Secure Server Certification Authority (no EV OID)
- GTE CyberTrust Global Root (no EV OID)

The policyId chaining is inconsistent also.

> https://www.mrporter.com
> or https://www.gendcom.gendarmerie.interieur.gouv.fr
>
> Yes, the French police are using a cert issued to a Korean content
> network.

It's a CDN. Maybe our Gendarmerie decided that their website receives a big enough audience to be served by a CDN ;)

John Nagle

unread,
Apr 20, 2012, 2:01:31 PM4/20/12
to mozilla-dev-s...@lists.mozilla.org
On 4/20/2012 10:52 AM, Ben Wilson wrote:

> As Eddy noticed, this is not the EV OID declared for this root.
>
> The chain goes up to 3 trust anchors:
> - DigiCert High-Assurance EV Root CA (EV OID: 2.16.840.1.114412.2.1)
> - Entrust.net Secure Server Certification Authority (no EV OID)
> - GTE CyberTrust Global Root (no EV OID)
>
> The policyId chaining is inconsistent also.
>
>> https://www.mrporter.com
>> or https://www.gendcom.gendarmerie.interieur.gouv.fr
>>
>> Yes, the French police are using a cert issued to a Korean content
>> network.
>
> It's a CDN. Maybe our Gendarmerie decided that their website receives a big
> enough audience to be served by a CDN ;)

Yes, it's a CDN, but is it appropriate to have one cert for fifty
different sites? It's an OV cert (not an EV cert, as I thought
previously) and it's supposed to indicate the party responsible for
the site, not some CDN.

John Nagle
SiteTruth

Erwann Abalea

unread,
Apr 20, 2012, 3:00:18 PM4/20/12
to mozilla-dev-s...@lists.mozilla.org
Le vendredi 20 avril 2012 20:01:31 UTC+2, John Nagle a écrit :
> On 4/20/2012 10:52 AM, Ben Wilson wrote:
>
> > As Eddy noticed, this is not the EV OID declared for this root.
> >
> > The chain goes up to 3 trust anchors:
> > - DigiCert High-Assurance EV Root CA (EV OID: 2.16.840.1.114412.2.1)
> > - Entrust.net Secure Server Certification Authority (no EV OID)
> > - GTE CyberTrust Global Root (no EV OID)
> >
> > The policyId chaining is inconsistent also.
> >
> >> https://www.mrporter.com
> >> or https://www.gendcom.gendarmerie.interieur.gouv.fr
> >>
> >> Yes, the French police are using a cert issued to a Korean content
> >> network.
> >
> > It's a CDN. Maybe our Gendarmerie decided that their website receives a big
> > enough audience to be served by a CDN ;)
>
> Yes, it's a CDN, but is it appropriate to have one cert for fifty
> different sites?

That's common. Those things also happen with shared hosting.

> It's an OV cert (not an EV cert, as I thought
> previously) and it's supposed to indicate the party responsible for
> the site, not some CDN.

The certificate has been delivered to the entity named "CDNetworks Inc.". If it's an OV, then DigiCert must have received a document from the holder of each of these domains telling that "CDNetworks Inc." has the right to have a certificate for the FQDN asked.
I see nothing wrong here.

Paul Tiemann

unread,
Apr 20, 2012, 3:46:12 PM4/20/12
to Erwann Abalea, mozilla-dev-s...@lists.mozilla.org
On Apr 20, 2012, at 1:00 PM, Erwann Abalea wrote:

> Le vendredi 20 avril 2012 20:01:31 UTC+2, John Nagle a écrit :
>> On 4/20/2012 10:52 AM, Ben Wilson wrote:
>>
>>>
>>> It's a CDN. Maybe our Gendarmerie decided that their website receives a big
>>> enough audience to be served by a CDN ;)
>>
>> Yes, it's a CDN, but is it appropriate to have one cert for fifty
>> different sites?
>
> That's common. Those things also happen with shared hosting.
>
>> It's an OV cert (not an EV cert, as I thought
>> previously) and it's supposed to indicate the party responsible for
>> the site, not some CDN.
>
> The certificate has been delivered to the entity named "CDNetworks Inc.". If it's an OV, then DigiCert must have received a document from the holder of each of these domains telling that "CDNetworks Inc." has the right to have a certificate for the FQDN asked.
> I see nothing wrong here.

I can confirm we receive permission from each domain holder to include their FQDN in these certificates. DigiCert so far only provides OV and EV certificates, so we have to include the operator in the O. The alternative would be to leave nothing in the O field--and you may find such multi-tenant certs out there as well, but I think it is better to at least identify the company operating the CDN.

If there were zero compatibility problems with SNI (Server Name Indication) then CDNs would be able to host multiple unique OV certificates on a single IP address -- the only other solution is to assign one IP address to each site, but that path is also unfriendly since the internet is out of ipv4 space.

Paul Tiemann
CTO, DigiCert

Kyle Hamilton

unread,
Apr 20, 2012, 6:05:18 PM4/20/12
to John Nagle, mozilla-dev-s...@lists.mozilla.org
My view is that the certificate should lead you to where you can find information about the site, as it's only necessary to know precisely who runs it if there's a legal dispute, and only so you can drag them to court.

That said, I am not exactly happy that this French state agency seems to be relying on treaties with foreign nations to be able to contract with a Korean content delivery network provider. But... if a state agency has done its risk assessment (and we must presume that they have), is willing to accept the risks, and their citizens are willing to let them, who are we individual extraterritorial non-subjects to argue?

-Kyle H

On Fri, Apr 20, 2012 at 11:01 AM, John Nagle <na...@sitetruth.com> wrote:
> On 4/20/2012 10:52 AM, Ben Wilson wrote:
>
>> As Eddy noticed, this is not the EV OID declared for this root.
>>
>> The chain goes up to 3 trust anchors:
>>  - DigiCert High-Assurance EV Root CA (EV OID: 2.16.840.1.114412.2.1)
>>  - Entrust.net Secure Server Certification Authority (no EV OID)
>>  - GTE CyberTrust Global Root (no EV OID)
>>
>> The policyId chaining is inconsistent also.
>>
>>>        https://www.mrporter.com
>>> or      https://www.gendcom.gendarmerie.interieur.gouv.fr
>>>
>>> Yes, the French police are using a cert issued to a Korean content
>>> network.
>>
>>
>> It's a CDN. Maybe our Gendarmerie decided that their website receives a
>> big
>> enough audience to be served by a CDN ;)
>
>
>   Yes, it's a CDN, but is it appropriate to have one cert for fifty
> different sites?  It's an OV cert (not an EV cert, as I thought
> previously) and it's supposed to indicate the party responsible for
> the site, not some CDN.
>
>                                John Nagle
>                                SiteTruth
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

John Nagle

unread,
Apr 21, 2012, 1:59:53 PM4/21/12
to mozilla-dev-s...@lists.mozilla.org
In this case, each of those domains has a unique IP address, so
the IPv4 address space shortage is not the issue. There was no
technical reason to issue such a certificate.

Issuing a cert which names an organization other than the one
which owns the web site seems incorrect. The whole point
of having OV and EV certs is to identify the party you're dealing
with, not some hosting service in the middle.

The CA/Browser Forum proposed standard says, at 11.2.1 Identity,
"If the Subject Identity Information is to include the name or address
of an organization, the CA SHALL verify the identity and address of the
organization and that the address is the Applicant’s address of
existence or operation." While a CA may try to interpret that as
allowing the issuance of certs in the name of a proxy CDN service,
I would suggest that Mozilla's auditors not accept that interpretation.
We don't want to allow the creation of a "proxy cert" industry,
similar to the mess associated with "private domain registration".

A cert like this allows a form of MITM attack. Any site with
that cert can impersonate any other site with that cert. That's
not good, especially when the organizations are totally unrelated
and spread across three continents.

I'm trying to find out how widespread a problem this is.
The Certificate Observatory database, which is publicly available
on Amazon's Elastic Cloud, has the necessary information. More
on this later.

John Nagle
SiteTruth

Erwann Abalea

unread,
Apr 21, 2012, 4:52:07 PM4/21/12
to mozilla-dev-s...@lists.mozilla.org
Le samedi 21 avril 2012 19:59:53 UTC+2, John Nagle a écrit :
> In this case, each of those domains has a unique IP address, so
> the IPv4 address space shortage is not the issue. There was no
> technical reason to issue such a certificate.

This is not a valid reason to *not* issue it.

[...]
> I'm trying to find out how widespread a problem this is.
> The Certificate Observatory database, which is publicly available
> on Amazon's Elastic Cloud, has the necessary information. More
> on this later.

We all know the result. This kind of certificate is really widespread. It started when shared hosting began to rise, and continued because SNI wasn't widely supported (it's still not supported on some non negligible platforms).

Paul Tiemann

unread,
Apr 21, 2012, 10:26:32 PM4/21/12
to John Nagle, mozilla-dev-s...@lists.mozilla.org
On Apr 21, 2012, at 11:59 AM, John Nagle wrote:

> On 4/20/2012 12:46 PM, Paul Tiemann wrote:
> Issuing a cert which names an organization other than the one
> which owns the web site seems incorrect.

It's pretty common though -- OV CAs request a "Domain Authorization Letter" from the domain owner when the Organization to be listed in the certificate does not own the domain.

> The whole point
> of having OV and EV certs is to identify the party you're dealing
> with, not some hosting service in the middle.

Other people would prefer to know who is operating the site. If Mozilla were to use a 3rd party CDN, would you prefer to see O=Mozilla in the certificate that the CDN controls, or O=CDN Company? In such a case, to see O=Mozilla would make you believe that Mozilla itself was the only party on the other side of the SSL connection, but that would be innacurate.

> The CA/Browser Forum proposed standard says, at 11.2.1 Identity,
> "If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of
> existence or operation." While a CA may try to interpret that as
> allowing the issuance of certs in the name of a proxy CDN service,
> I would suggest that Mozilla's auditors not accept that interpretation.
> We don't want to allow the creation of a "proxy cert" industry,
> similar to the mess associated with "private domain registration".

You seem to be arguing that multi-domain certificates should be DV only -- but to my mind that's not an improvement.

> A cert like this allows a form of MITM attack. Any site with
> that cert can impersonate any other site with that cert. That's
> not good, especially when the organizations are totally unrelated
> and spread across three continents.

The CDN is the only holder of the private key in these scenarios.

> I'm trying to find out how widespread a problem this is.
> The Certificate Observatory database, which is publicly available
> on Amazon's Elastic Cloud, has the necessary information. More
> on this later.

It's a common practice. We had a thread here a year or so ago that might be helpful. The subject of the thread was "112 SANs from different owners in a single OV certificate?"

Paul Tiemann
CTO, DigiCert

Jan Schejbal

unread,
Apr 21, 2012, 11:39:28 PM4/21/12
to mozilla-dev-s...@lists.mozilla.org
Am 2012-04-21 19:59, schrieb John Nagle:
> A cert like this allows a form of MITM attack. Any site with
> that cert can impersonate any other site with that cert. That's
> not good, especially when the organizations are totally unrelated
> and spread across three continents.

Even if each site used its own cert, the CDN would still have all of
them, so it could still impersonate. Thus, I don't see any big problem here.

The organizations are not "totally unrelated" - their sites are being
delivered by the same server(s).

Kind regards,
Jan

--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...

ianG

unread,
Apr 22, 2012, 6:06:19 AM4/22/12
to dev-secur...@lists.mozilla.org
On 21/04/12 04:01 AM, John Nagle wrote:

> Yes, it's a CDN, but is it appropriate to have one cert for fifty
> different sites? It's an OV cert (not an EV cert, as I thought
> previously) and it's supposed to indicate the party responsible for
> the site, not some CDN.


It indicates "ownership or control". This is the technical standard
that the industry uses to implement their "identity" meta goal.

In this case, the owner has outsourced the control of the domain to the
CDN. So the CDN has control of the domain at least for certificate
purposes, and the content.

Welcome to the industry :)

iang


> John Nagle
> SiteTruth

John Nagle

unread,
Apr 19, 2012, 7:33:24 PM4/19/12
to mozilla-dev-s...@lists.mozilla.org
The cert returned by "https://www.adm.com" (Archer Daniels Midland),
has the list of alt names shown below.

The cert was issued by DigiCert High Assurance CA-3 to:

CN = ssl.cdngc.net
O = CDNetworks Inc.
L = San Jose
ST = California
C = US

That's under DigiCert High Assurance EV Root CA, which is under
GTE CyberTrust Global Root.

Serial number is 07:CC:C2:57:21:53:20:92:B8:69:8D:2E:96:8A:D3:FF.

It is an EV cert. OID 2.16.840.1.114412.1.1, in the Mozilla root
cert list at

http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp.
Yet it doesn't have all the fields required
of an EV cert. It's not clear whether it's an EV cert or not.
EV and non-EV certs aren't supposed to be issued by the same root.

The long list of names does not include "www.adm.com", so Mozilla
rejects the cert. However, try one of the names below, such
as

https://www.mrporter.com
or https://www.gendcom.gendarmerie.interieur.gouv.fr

Yes, the French police are using a cert issued to a Korean content
network.

These sites return the same cert, and Mozilla accepts it for
those sites. Mozilla gives it a blue bar.

The actual subject of the cert is a content delivery network in Korea.

CDNetworks Co., LTD.
Handong Bldg 67F 8287YeoksamDong GangnamGu
Seoul, Seoul 135935
KR

What's going on here, and does it need to be stopped?

John Nagle
SiteTruth


Not Critical
DNS Name: ssl.cdngc.net
DNS Name: ssl.cdnetworks.net
DNS Name: ocsp.us.cdnetworks.com
DNS Name: cdn.shopify.com
DNS Name: cdn0.minted.com
DNS Name: login.remedyint.com
DNS Name: media.yoox.biz
DNS Name: radialpointsecure.cdnetworks.net
DNS Name: s1.quibidscdn.com
DNS Name: content.etilize.com
DNS Name: www.mrporter.com
DNS Name: www0.alibris-static.com
DNS Name: www1.alibris-static.com
DNS Name: www2.alibris-static.com
DNS Name: www3.alibris-static.com
DNS Name: www4.alibris-static.com
DNS Name: www5.alibris-static.com
DNS Name: www6.alibris-static.com
DNS Name: www7.alibris-static.com
DNS Name: www8.alibris-static.com
DNS Name: www9.alibris-static.com
DNS Name: neofussvr.sslcs.cdngc.net
DNS Name: neofusstgsvr.sslcs.cdngc.net
DNS Name: s5.boxcdn.net
DNS Name: creativegallery.axa.com
DNS Name: cube.quibidscdn.com
DNS Name: www.net-a-porter.com
DNS Name: d.unanimis.co.uk
DNS Name: www.samsunglfd.com
DNS Name: cdns.dv1.jalan.jp
DNS Name: cdns.jalan.jp
DNS Name: api.t.sina.com.cn
DNS Name: api.weibo.com
DNS Name: cn.meirongwaike.jp
DNS Name: cdn.casharena.com
DNS Name: cdn.mypypeline.com
DNS Name: simg.gpotato.eu
DNS Name: static.gpotato.eu
DNS Name: sn.infinittna.com.cdnetworks.com
DNS Name: sn.infinittna.com.cdnetworks.com.cdngc.net
DNS Name: pacs.inglewoodimaging.com.cdngc.net
DNS Name: www.ricoh.com
DNS Name: www.baroque-global.com
DNS Name: nlcn.cdncd.neulion.com
DNS Name: live-secure.brainsonic.com
DNS Name: live2.brainsonic.com
DNS Name: images.alibris.com
DNS Name: cloud-live-pad.brainsonic.com
DNS Name: www.puhua-meirong.com
DNS Name: cn.forexct.com
DNS Name: pad20-edf.brainsonic.com
DNS Name: pad20-edf-en.brainsonic.com
DNS Name: pad20-edfwebradio.brainsonic.com
DNS Name: pad20-edf-services.brainsonic.com
DNS Name: www.forexct.com
DNS Name: www.netmarble.com
DNS Name: cdn.benaughty.com
DNS Name: cdn.cupid.com
DNS Name: cdn.pictimgs.com
DNS Name: hns.toyota-digital.com
DNS Name: snr.toyota-digital.com
DNS Name: dev-preprod-front-ssl.pad.brainsonic.com
DNS Name: dev-preprod-services-ssl.pad.brainsonic.com
DNS Name: carrefour.cdn.e-merchant.com
DNS Name: apis.staging.sharethrough.com
DNS Name: apis.sharethrough.com
DNS Name: apps.nero.com
DNS Name: c.unanimis.co.uk
DNS Name: upload.api.weibo.com
DNS Name: pathe-front.pad.brainsonic.com
DNS Name: www.perche.co.kr
DNS Name: www.assaabloy.com
DNS Name: img.tinierme.com
DNS Name: www.gendcom.gendarmerie.interieur.gouv.fr
DNS Name: bill.netmarble.com
DNS Name: uwo.netmarble.com
DNS Name: cdn.stat.to.cupidplc.com
DNS Name: res-hawk.baseballheroes.com
DNS Name: a.unanimis.co.uk
DNS Name: ssl-a.unanimis.co.uk
DNS Name: cachesafeverification.ll.eurogrand.com
DNS Name: cdnperf.cdnetworks.net
DNS Name: en.avaaz.org
DNS Name: cdn.vendocdn.com
DNS Name: cdn1.vendocdn.com
DNS Name: files.adform.net
DNS Name: ii.alatest.com
0 new messages