Bad characters in dNSNames

569 views
Skip to first unread message

Rob Stradling

unread,
Jul 26, 2017, 6:22:22 AM7/26/17
to dev-secur...@lists.mozilla.org, Jonathan Rudenberg
At Jonathan's suggestion, I've used the crt.sh DB to produce this report
of certs that have SAN:dNSName(s) that contain non-permitted characters:

https://docs.google.com/spreadsheets/d/1IACTYMDXcdz4DoMKxkHfePfb5mv2XN68BcB7p6acTqg/edit?usp=sharing

I've only looked at certs for which there's a chain up to a root trusted
by Mozilla, and I've only looked at certs with notBefore dates after 1st
November 2015 (so there's no chance that any of these are "legitimate"
internal server names, per the BRs).

The characters I've treated as permitted are:
A-Z
a-z
0-9
-_.*

So that Symantec's "redacted" precertificates didn't make up 99%+ of the
report, I've also permitted dNSNames to begin with 0 or more instances
of "?.".

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Kurt Roeckx

unread,
Jul 26, 2017, 6:45:14 AM7/26/17
to mozilla-dev-s...@lists.mozilla.org
On 2017-07-26 12:21, Rob Stradling wrote:
> At Jonathan's suggestion, I've used the crt.sh DB to produce this report
> of certs that have SAN:dNSName(s) that contain non-permitted characters:

The report says "CN or dNSName". It's my understanding that in the CN
you can have international characters but that in the SAN you can't. Can
you clarify that it's really only the SAN that you checked?


Kurt

Rob Stradling

unread,
Jul 26, 2017, 6:50:30 AM7/26/17
to Kurt Roeckx, mozilla-dev-s...@lists.mozilla.org
On 26/07/17 11:44, Kurt Roeckx via dev-security-policy wrote:
> On 2017-07-26 12:21, Rob Stradling wrote:
>> At Jonathan's suggestion, I've used the crt.sh DB to produce this
>> report of certs that have SAN:dNSName(s) that contain non-permitted
>> characters:
>
> The report says "CN or dNSName". It's my understanding that in the CN
> you can have international characters but that in the SAN you can't. Can
> you clarify that it's really only the SAN that you checked?

It's really only the SAN I checked. I've updated that heading in the
report.

Thanks.

Gervase Markham

unread,
Aug 15, 2017, 8:29:41 AM8/15/17
to mozilla-dev-s...@lists.mozilla.org
Hi Rob,

On 26/07/17 11:21, Rob Stradling wrote:
> https://docs.google.com/spreadsheets/d/1IACTYMDXcdz4DoMKxkHfePfb5mv2XN68BcB7p6acTqg/edit?usp=sharing

Thanks for this. Any chance of saving me a bit of time by
cross-referencing each line with the "CA owner" from the CCADB? If
that's too much work, no problem, let me know and I can do it myself by
hand.

Gerv

Rob Stradling

unread,
Aug 16, 2017, 11:22:01 AM8/16/17
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org, Alex Gaynor
Hi Gerv. I've just added the "CA Owner" field to both tabs on this
spreadsheet. See also https://misissued.com/batch/3/, which reports on
the same set of certificates.

BTW, I've just asked Alex to look at adding the "CA Owner" field to the
misissued.com reports. :-)

Jonathan Rudenberg

unread,
Aug 16, 2017, 11:42:53 AM8/16/17
to Amus, mozilla-dev-s...@lists.mozilla.org

> On Aug 16, 2017, at 11:37, Amus via dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>
> What's wrong with the two Well's Fargo certs? I don't see any invalid characters in them.

https://crt.sh/?opt=cablint&id=19558707
https://crt.sh/?opt=cablint&id=11382596

Both have trailing spaces in one of the dnsNames: "ceomobilefix.wf.com “ and "ceomobile.wf.com

Note that they are also expired.

Amus

unread,
Aug 16, 2017, 11:43:41 AM8/16/17
to mozilla-dev-s...@lists.mozilla.org
What's wrong with the two Well's Fargo certs? I don't see any invalid characters in them.

alex....@gmail.com

unread,
Aug 16, 2017, 5:57:49 PM8/16/17
to mozilla-dev-s...@lists.mozilla.org
On Wednesday, August 16, 2017 at 11:22:01 AM UTC-4, Rob Stradling wrote:
> BTW, I've just asked Alex to look at adding the "CA Owner" field to the
> misissued.com reports. :-)
>

It does this now :-)

Cheers,
Alex

Rob Stradling

unread,
Aug 17, 2017, 5:21:31 AM8/17/17
to alex....@gmail.com, mozilla-dev-s...@lists.mozilla.org
On 16/08/17 22:57, alex.gaynor--- via dev-security-policy wrote:
> On Wednesday, August 16, 2017 at 11:22:01 AM UTC-4, Rob Stradling wrote:
>> BTW, I've just asked Alex to look at adding the "CA Owner" field to the
>> misissued.com reports. :-)
>
> It does this now :-)

Excellent. Thanks Alex. :-)
Reply all
Reply to author
Forward
0 new messages