Hi Ian,

Thanks for pointing this out to us. We looked at all orders issued since a
new domain validation logic was rolled out in late May 2020 and we verified
that no IP addresses were attempted to be validated using a constructed
email address. Even if this was selected, the sending of that email would
fail. We'll update the page shortly to address this UI bug to avoid customer
confusion.

Regards,

Doug

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On
Behalf Of Doug Beattie via dev-security-policy
Sent: Monday, August 10, 2020 6:30 AM
To: i...@ian.sh <i...@ian.sh>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Concerns with GlobalSign IP address validation

Hi Ian,

Thanks, we're looking into this.

Doug

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On
Behalf Of i...--- via dev-security-policy
Sent: Friday, August 7, 2020 11:37 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Concerns with GlobalSign IP address validation

Hi there,

When purchasing a GlobalSign OV IP address certificate, I was presented with
several options to validate the certificate using email addresses that had
an incorrectly truncated IP address, treating it similarly to a DNS name,
which is not correct. As an example, GlobalSign would provide "admin@2.3.4"
and "admin@3.4" as options for the IPv4 address "admin@1.2.3.4" -- which are
(because of IPv4 notation) really 2.3.0.4 and 3.0.0.4, respectively, and not
even under the same CIDR (not that it would make that valid anyway).

To test this, I obtained an IP address with a zero from Google Cloud
(34.94.0.97) and then requested a certificate for 44.34.94.97 (part of
44net, which seems largely unused), which becomes 34.94.97 after truncation
and thus my server's IP.

GlobalSign returned an error message when I chose the plainly invalid
address "admin@34.94.97", which is why I'm not worried about posting this
here, but it seems worthy of a further investigation into why GlobalSign
presents these email addresses as options, if validation agents are trained
to manually accept emails from these addresses (such as being shown them in
internal systems), if they have issued any past certificates using invalid
verification methods, etc.

Thanks,
Ian Carroll
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to