The Problem of Issuing Certs For Unqualified Names

Found on Threadpost on Tuesday, 05 April 2011

One interesting result of this work is that the folks at the Electronic Frontier Foundation have discovered that there are tens of thousands of legitimate certificates issued by CAs for unqualified names such as "localhost" or "Exchange," a practice that could simplify some forms of man-in-the-middle attacks.

"In the Observatory we have discovered many examples of CA-signed certificates unqualified domain names. In fact, the most common unqualified name is 'localhost', which always refers to your own computer! It simply makes no sense for a public CA to sign a certificate for this private name."

It's pretty simple: when your CA is listed as trusted in all the major browsers, you have a license to print money. You don't have to deliver any physical goods, you just have to tell others that "this is safe, because I say so". You can create a certificate providing the same level of security, but browsers will warn users because they don't trust you. It's all about trust: and that can be gone very fast.

Browse all articles« Previous « » Next »