On 07/19/2017 06:03 PM, Tom wrote:
Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla (crt.sh issuer are marked trusted by
Mozilla, but not all).
Annotating these certs:
Starting with *:
I believe this cert is presently untrusted by Mozilla due to revocation
of all paths to the Federal PKI:
https://crt.sh/?id=7211484 *eis.aetc.af.mil
chains to StartCom (and all of these from StartCom are minor compared to
StartCom's other problems):
https://crt.sh/?id=10714112 *g10.net-lab.net
chains to Baltimore CyberTrust Root (DigiCert):
https://crt.sh/?id=48682944 *nuvolaitaliana.it
chains to StartCom:
https://crt.sh/?id=15736178 *assets.blog.cn.net.ru
https://crt.sh/?id=17295812 *dev02.calendar42.com
https://crt.sh/?id=15881220 *dev.1septem.ru
https://crt.sh/?id=15655700 *assets.blog.cn.net.ru
https://crt.sh/?id=17792808 *quickbuild.raptorengineering.io
Starting with -:
chains to QuoVadis:
https://crt.sh/?id=54285413
-d1-datacentre-12g-console-2.its.deakin.edu.au
chains to StartCom:
https://crt.sh/?id=78248795 -1ccenter.777chao.com
Multiple *.:
chains to QuoVadis:
https://crt.sh/?id=13299376 *.*.victoria.ac.nz
I believe this cert is presently trusted by Mozilla only via a
technically constrained subCA:
https://crt.sh/?id=44997156 *.*.rnd.unicredit.it
chains to Swisscom:
https://crt.sh/?id=5982951 *.*.int.swisscom.ch
Internals TLD:
chains to Baltimore CyberTrust Root (DigiCert):
https://crt.sh/?id=33626750 a1.verizon.test
I believe this cert is presently untrusted by Mozilla due to revocation
of the relevant subCA:
https://crt.sh/?id=33123653 DAC38997VPN2001A.trmk.corp
chains to Certplus (DocuSign):
https://crt.sh/?id=42475510 naccez.us.areva.corp
I believe these presently lack an unrevoked, unexpired trust path in
Mozilla:
https://crt.sh/?id=10621703 collaboration.intra.airbusds.corp
https://crt.sh/?id=48726306 zdeasaotn01.dsmain.ds.corp
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy