info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Verisign signed speedport.ip ?
146 views
Skip to first unread message
Lewis Resmond
Dec 9, 2017, 2:42:09 PM12/9/17
to mozilla-dev-s...@lists.mozilla.org
Hello,
I was researching about some older routers by Telekom, and I found out that some of them had SSL certificates for their (LAN) configuration interface, issued by Verisign for the fake-domain "speedport.ip".
They (all?) are logged here: https://crt.sh/?q=speedport.ip
I wonder, since this domain and even the TLD is non-existing, how could Verisign sign these? Isn't this violating the rules, if they sign anything just because a router factory tells them to do so?
Although they are all expired since several years, I am interested how this could happen, and if such incidents of signing non-existing domains could still happen today.
I was researching about some older routers by Telekom, and I found out that some of them had SSL certificates for their (LAN) configuration interface, issued by Verisign for the fake-domain "speedport.ip".
They (all?) are logged here: https://crt.sh/?q=speedport.ip
I wonder, since this domain and even the TLD is non-existing, how could Verisign sign these? Isn't this violating the rules, if they sign anything just because a router factory tells them to do so?
Although they are all expired since several years, I am interested how this could happen, and if such incidents of signing non-existing domains could still happen today.
Patrick Figel
Dec 9, 2017, 2:49:24 PM12/9/17
to dev-secur...@lists.mozilla.org
Until November 11, 2015, publicly-trusted CAs were allowed to issue
certificates for internal names and reserved IP addresses. All
certificates of this nature had to be revoked by October 1, 2016.
More details here: https://cabforum.org/internal-names/
Patrick
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
certificates for internal names and reserved IP addresses. All
certificates of this nature had to be revoked by October 1, 2016.
More details here: https://cabforum.org/internal-names/
Patrick
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Peter Bowen
Dec 9, 2017, 2:52:21 PM12/9/17
to Lewis Resmond, mozilla-dev-s...@lists.mozilla.org
On Sat, Dec 9, 2017 at 11:42 AM, Lewis Resmond via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:
> I was researching about some older routers by Telekom, and I found out that some of them had SSL certificates for their (LAN) configuration interface, issued by Verisign for the fake-domain "speedport.ip".
>
> They (all?) are logged here: https://crt.sh/?q=speedport.ip
>
> I wonder, since this domain and even the TLD is non-existing, how could Verisign sign these? Isn't this violating the rules, if they sign anything just because a router factory tells them to do so?
>
> Although they are all expired since several years, I am interested how this could happen, and if such incidents of signing non-existing domains could still happen today.
Before the CA/Browser Forum Baseline Requirements were created, this
<dev-secur...@lists.mozilla.org> wrote:
> I was researching about some older routers by Telekom, and I found out that some of them had SSL certificates for their (LAN) configuration interface, issued by Verisign for the fake-domain "speedport.ip".
>
> They (all?) are logged here: https://crt.sh/?q=speedport.ip
>
> I wonder, since this domain and even the TLD is non-existing, how could Verisign sign these? Isn't this violating the rules, if they sign anything just because a router factory tells them to do so?
>
> Although they are all expired since several years, I am interested how this could happen, and if such incidents of signing non-existing domains could still happen today.
was not explicitly forbidden. Since approximately July 1, 2012 no new
certificates have been allowed for unqualified names or names for
which the TLD does not exist in the IANA root zone.
So, to answer your questions:
Q: How could Verisign sign these?
A: These were all issued prior to the Baseline Requirements coming into effect
Q: Could [...] such incidents of signing non-existing domains could
still happen today?
A: Not like this. All Domain Names in certificates now must be Fully
Qualified Domains and the CA must validate that the FQDN falls in a
valid namespace. It is allowable for me to get a certificate for
nonexistent.home.peterbowen.org, even though that FQDN does not exist,
as I am the registrant of peterbowen.org.
Thanks,
Peter
0 new messages