Bad characters in dNSNames

[Rob Stradling]

At Jonathan's suggestion, I've used the crt.sh DB to produce this report
of certs that have SAN:dNSName(s) that contain non-permitted characters:

https://docs.google.com/spreadsheets/d/1IACTYMDXcdz4DoMKxkHfePfb5mv2XN68BcB7p6acTqg/edit?usp=sharing

I've only looked at certs for which there's a chain up to a root trusted
by Mozilla, and I've only looked at certs with notBefore dates after 1st
November 2015 (so there's no chance that any of these are "legitimate"
internal server names, per the BRs).

The characters I've treated as permitted are:
A-Z
a-z
0-9
-_.*

So that Symantec's "redacted" precertificates didn't make up 99%+ of the
report, I've also permitted dNSNames to begin with 0 or more instances
of "?.".

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Kurt Roeckx]

On 2017-07-26 12:21, Rob Stradling wrote:
> At Jonathan's suggestion, I've used the crt.sh DB to produce this report
> of certs that have SAN:dNSName(s) that contain non-permitted characters:

The report says "CN or dNSName". It's my understanding that in the CN
you can have international characters but that in the SAN you can't. Can
you clarify that it's really only the SAN that you checked?


Kurt

[Rob Stradling]

On 26/07/17 11:44, Kurt Roeckx via dev-security-policy wrote:
> On 2017-07-26 12:21, Rob Stradling wrote:

>> At Jonathan's suggestion, I've used the crt.sh DB to produce this
>> report of certs that have SAN:dNSName(s) that contain non-permitted
>> characters:
>

> The report says "CN or dNSName". It's my understanding that in the CN
> you can have international characters but that in the SAN you can't. Can
> you clarify that it's really only the SAN that you checked?

It's really only the SAN I checked. I've updated that heading in the
report.

Thanks.

[Gervase Markham]

Hi Rob,

On 26/07/17 11:21, Rob Stradling wrote:
> https://docs.google.com/spreadsheets/d/1IACTYMDXcdz4DoMKxkHfePfb5mv2XN68BcB7p6acTqg/edit?usp=sharing

Thanks for this. Any chance of saving me a bit of time by
cross-referencing each line with the "CA owner" from the CCADB? If
that's too much work, no problem, let me know and I can do it myself by
hand.

Gerv

[Rob Stradling]

Hi Gerv. I've just added the "CA Owner" field to both tabs on this
spreadsheet. See also https://misissued.com/batch/3/, which reports on
the same set of certificates.

BTW, I've just asked Alex to look at adding the "CA Owner" field to the
misissued.com reports. :-)

[Jonathan Rudenberg]

> On Aug 16, 2017, at 11:37, Amus via dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>
> What's wrong with the two Well's Fargo certs? I don't see any invalid characters in them.

https://crt.sh/?opt=cablint&id=19558707
https://crt.sh/?opt=cablint&id=11382596

Both have trailing spaces in one of the dnsNames: "ceomobilefix.wf.com “ and "ceomobile.wf.com “

Note that they are also expired.

[Amus]

What's wrong with the two Well's Fargo certs? I don't see any invalid characters in them.

[alex....@gmail.com]

On Wednesday, August 16, 2017 at 11:22:01 AM UTC-4, Rob Stradling wrote:
> BTW, I've just asked Alex to look at adding the "CA Owner" field to the
> misissued.com reports. :-)
>

It does this now :-)

Cheers,
Alex

[Rob Stradling]

On 16/08/17 22:57, alex.gaynor--- via dev-security-policy wrote:
> On Wednesday, August 16, 2017 at 11:22:01 AM UTC-4, Rob Stradling wrote:

>> BTW, I've just asked Alex to look at adding the "CA Owner" field to the
>> misissued.com reports. :-)
>

> It does this now :-)

Excellent. Thanks Alex. :-)