"Cert spam", or certs with huge numbers of hosts.

Thu, 23 Oct 2014 13:10:03 -0700 

Examine the cert of "https://www.sevendays.co";.

Here's one of those certs with a huge number of unrelated hosts.
This seems to be a Cloudflare legacy setup from the pre-TLS era.
Unfortunately, this cert became valid on 10/09/2014. It's
not a legacy cert.
Should certs like this be rejected as misrepresenting the identity of the organization? Junk certs like this let any domain in the cert 
impersonate any other domain, so they are a form of "wildcard" cert.
Now that all major browsers have TLS, they are unnecessary and can
be phased out, correct?

Firefox displays "You are connected to sevendays.co. Verified
by GlobalSign NV-SA" for this site. That misrepresents what the
cert really told Firefox.  The message should read "You are
connected to one of the following sites, and give the list.
Or perhaps "You are connected to ssl2910.cloudflare.com" which
appears to be authorized to host sevendays.co".  That would
assist in accelerating the phaseout of these old certs.

There's a real risk here.  A break-in at any of those sites
allows impersonating all of them.  This creates a huge
attack surface.

                                        John Nagle
                                        SiteTruth

Domain www.sevendays.co

Server identity

    countryName=US
    stateOrProvinceName=CA
    localityName=San Francisco
    organizationName=CloudFlare, Inc.
    commonName=ssl2910.cloudflare.com


Hosts allowed by certificate

    ssl2910.cloudflare.com
    ssl2910.cloudflare.com
    *.kitchensurfing.com
    *.kontrekulture.com
    guardian.co.tt
    storio.com
    zcloud.ws
    lazycoins.com
    mywvbar.org
    *.francescomugnai.com
    *.versatrussplus.com
    neurotoxininstitute.com
    *.mywvbar.org
    *.fitfashion.fi
    *.prenonslemaquis.fr
    *.neurotoxininstitute.com
    cresters.com
    *.zcloud.ws
    *.skinnymom.com
    anchoragemovies.com
    *.anchoragemovies.com
    skinnymom.com
    *.cresters.com
    francescomugnai.com
    kitchensurfing.com
    sevendays.co
    *.sevendays.co
    kontrekulture.com
    *.guardian.co.tt
    fitfashion.fi
    prenonslemaquis.fr
    *.storio.com
    *.bikeindex.org
    *.lazycoins.com
    versatrussplus.com
    bikeindex.org
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to