Re: Certificate with invalid dnsName

Wed, 19 Jul 2017 18:30:24 -0700 

On 07/19/2017 06:03 PM, Tom wrote:

Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla (crt.sh issuer are marked trusted by Mozilla, but not all). 

Annotating these certs:


Starting with *:



I believe this cert is presently untrusted by Mozilla due to revocation 
of all paths to the Federal PKI:

https://crt.sh/?id=7211484    *eis.aetc.af.mil



chains to StartCom (and all of these from StartCom are minor compared to 
StartCom's other problems):

https://crt.sh/?id=10714112    *g10.net-lab.net


chains to Baltimore CyberTrust Root (DigiCert):

https://crt.sh/?id=48682944    *nuvolaitaliana.it


chains to StartCom:

https://crt.sh/?id=15736178    *assets.blog.cn.net.ru
https://crt.sh/?id=17295812    *dev02.calendar42.com
https://crt.sh/?id=15881220    *dev.1septem.ru
https://crt.sh/?id=15655700    *assets.blog.cn.net.ru
https://crt.sh/?id=17792808    *quickbuild.raptorengineering.io





Starting with -:


chains to QuoVadis:

https://crt.sh/?id=54285413    
-d1-datacentre-12g-console-2.its.deakin.edu.au


chains to StartCom:

https://crt.sh/?id=78248795    -1ccenter.777chao.com





Multiple *.:


chains to QuoVadis:

https://crt.sh/?id=13299376    *.*.victoria.ac.nz



I believe this cert is presently trusted by Mozilla only via a 
technically constrained subCA:

https://crt.sh/?id=44997156    *.*.rnd.unicredit.it


chains to Swisscom:

https://crt.sh/?id=5982951    *.*.int.swisscom.ch





Internals TLD:


chains to Baltimore CyberTrust Root (DigiCert):

https://crt.sh/?id=33626750    a1.verizon.test



I believe this cert is presently untrusted by Mozilla due to revocation 
of the relevant subCA:

https://crt.sh/?id=33123653    DAC38997VPN2001A.trmk.corp


chains to Certplus (DocuSign):

https://crt.sh/?id=42475510    naccez.us.areva.corp



I believe these presently lack an unrevoked, unexpired trust path in 
Mozilla:

https://crt.sh/?id=10621703    collaboration.intra.airbusds.corp
https://crt.sh/?id=48726306    zdeasaotn01.dsmain.ds.corp

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to