Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Concerns with GlobalSign IP address validation
353 views
Skip to first unread message
i...@ian.sh
Aug 7, 2020, 11:37:29 PM8/7/20
to mozilla-dev-s...@lists.mozilla.org
Hi there,
When purchasing a GlobalSign OV IP address certificate, I was presented with several options to validate the certificate using email addresses that had an incorrectly truncated IP address, treating it similarly to a DNS name, which is not correct. As an example, GlobalSign would provide "ad...@2.3.4" and "admin@3.4" as options for the IPv4 address "ad...@1.2.3.4" -- which are (because of IPv4 notation) really 2.3.0.4 and 3.0.0.4, respectively, and not even under the same CIDR (not that it would make that valid anyway).
To test this, I obtained an IP address with a zero from Google Cloud (34.94.0.97) and then requested a certificate for 44.34.94.97 (part of 44net, which seems largely unused), which becomes 34.94.97 after truncation and thus my server's IP.
GlobalSign returned an error message when I chose the plainly invalid address "ad...@34.94.97", which is why I'm not worried about posting this here, but it seems worthy of a further investigation into why GlobalSign presents these email addresses as options, if validation agents are trained to manually accept emails from these addresses (such as being shown them in internal systems), if they have issued any past certificates using invalid verification methods, etc.
Thanks,
Ian Carroll
When purchasing a GlobalSign OV IP address certificate, I was presented with several options to validate the certificate using email addresses that had an incorrectly truncated IP address, treating it similarly to a DNS name, which is not correct. As an example, GlobalSign would provide "ad...@2.3.4" and "admin@3.4" as options for the IPv4 address "ad...@1.2.3.4" -- which are (because of IPv4 notation) really 2.3.0.4 and 3.0.0.4, respectively, and not even under the same CIDR (not that it would make that valid anyway).
To test this, I obtained an IP address with a zero from Google Cloud (34.94.0.97) and then requested a certificate for 44.34.94.97 (part of 44net, which seems largely unused), which becomes 34.94.97 after truncation and thus my server's IP.
GlobalSign returned an error message when I chose the plainly invalid address "ad...@34.94.97", which is why I'm not worried about posting this here, but it seems worthy of a further investigation into why GlobalSign presents these email addresses as options, if validation agents are trained to manually accept emails from these addresses (such as being shown them in internal systems), if they have issued any past certificates using invalid verification methods, etc.
Thanks,
Ian Carroll
Doug Beattie
Aug 10, 2020, 6:30:40 AM8/10/20
to i...@ian.sh, mozilla-dev-s...@lists.mozilla.org
Hi Ian,
Thanks, we're looking into this.
Doug
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Thanks, we're looking into this.
Doug
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Doug Beattie
Aug 10, 2020, 11:55:29 AM8/10/20
to i...@ian.sh, mozilla-dev-s...@lists.mozilla.org
Hi Ian,
Thanks for pointing this out to us. We looked at all orders issued since a
new domain validation logic was rolled out in late May 2020 and we verified
that no IP addresses were attempted to be validated using a constructed
email address. Even if this was selected, the sending of that email would
fail. We'll update the page shortly to address this UI bug to avoid customer
confusion.
Regards,
0 new messages