Comodo kills 'forbidden' certs
Internal-only certificates issued by accident
Certificate authority Comodo has revoked a bunch of certificates issued by mistake, which included reserved IP addresses and internal server names.
In announcing its discovery to the Certificate Authority and Browser Forum's (CA/B) mailing list, here, the CA's senior R&D scientist Rob Stradling wrote there are other non-Comodo certificates floating around that break the same rules.
To avoid (for example) man-in-the-middle attacks, certificate authorities should not issue certificates with internal server names. This decision was made by the CA/B Forum in 2012, with the same edict also forbidding issuing certs to reserved IP addresses (the deprecation instruction is here).
There's no guarantee that an internal domain name (that is, a domain that isn't reachable on the public Internet) is globally unique – and that opens up the risk of a name collision, allowing an attacker to present a valid certificate to a system they shouldn't be able to access.
Back to Comodo: Stradling says the eight forbidden certificates were discovered because he was checking that the company was complying with the instruction.
He writes that “there was a subtle bug in a code change that we had deployed to our CA system on 30th October 2015. The intent of this code change was to help ease the pain of the 1st November 2015 transition, by automatically deleting all Internal Names and Reserved IP Addresses from a certificate request just prior to issuing the certificate.”
The bug meant, however, that Comodo had failed to delete the forbidden certificates (Stradling says a hotfix has already been deployed).
However, in discovering the issue, he adds that other CAs seem to have overlooked similar mistakes. “We found non-compliant certificates issued by quite a number of other CAs, but I'll document these in another post”, Stradling writes. ®