This is Dean from Symantec. I'd like to offer the following with regard to your question about this certificate:
This is a legitimate certificate that VeriSign issued to Securepoint for their Network Access Controller (NAC). See http://download.securepoint.de/files/Handbuecher/NAC/NAC_Common_Delegated_Ad ministration_Guide.pdf Customers have approached VeriSign with a similar need: they produce an app or appliance that is to be deployed in their customer's network, and they want out-of-the-box SSL certificate protection. Since they cannot know in advance what will be the host name that their customer will provide for the app or appliance (and they don't wish to burden their customer with the task of generating and installing an SSL certificate after installation), they purchase an SSL certificate for an internal-only domain name, and deploy the same private key and certificate in each app or appliance. As was pointed out, this cert was issued in 2010. The CAB Forum has addressed the issuance of SSL certs to non FQDNs in the baseline requirements which were recently adopted. Dean Coclin -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Daniel Kahn Gillmor Sent: Monday, February 06, 2012 3:09 PM To: EFF Observatory Subject: Re: [SSL Observatory] https://controller.mobile.lan On 02/06/2012 02:42 PM, Jacob Appelbaum wrote: > I'm at a hotel in Munich and I found a rather funny cert performing a > full MITM for *:443 - https://controller.mobile.lan is signed by VeriSign. > > CN = VeriSign Class 3 Secure Server CA - G2 interesting. I can confirm that this verifies through the attached intermediate certificate to the root shipped by Mozilla as: Verisign Class 3 Public Primary Certification Authority - G2 > X509v3 CRL Distribution Points: > > URI:http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl This CRL does not list the certificate's serial number. So, is .lan a known TLD, or was Verisign issuing certificates for non-FQDNs as recently as august 2010. Anyone from Verisign want to comment on this? --dkg
