April 7, 2011 | By Chris Palmer

Fully-qualified Nonsense in the SSL Observatory

Yesterday, I posted about how internet certification authorities will sign unqualified names, which have no meaning on the internet.

In addition to unqualified names being meaningless — or, worse than meaningless — there are also meaningless fully-qualified names. And, yes, CAs will sign those names too.

As you may know, the internet domain name system (DNS) has a hierarchical structure: at the top are the top-level domains (TLDs) like .com, .org, and .net. Additionally, each two-letter ISO country code like UK, JP, and CN is also a valid country-code TLD (ccTLD). Finally, there are the lesser-known TLDs like .mobi, .museum, and .int.

Although you can register most any name (that contains letters, numbers, dashes, and arguably underscores) underneath the TLDs, the set of TLDs is fixed. Although ICANN might someday approve a .mars TLD for the red planet, they have not yet done so. If you try to browse to www.olympus-mons.mars, you won’t get anywhere. (Yet.)

However, CAs will sign certificates vouching for the identities of servers under non-existent TLDs and for names that are not legal DNS names (such as phrases containing spaces). Attached to this post, below, is a file containing a list of all the distinct TLDs in all the CA-validated names that the EFF SSL Observatory has observed.

The vast majority of TLDs in the list are invalid and have no meaning on the internet. Browsing it, you’ll see lots of names that are not internet TLDs, like .public, .priv, .nyc, .84/exchange, and so on. My favorite invalid TLD in the list is .foo, a technical term meaning “whatever”.

It might happen that someday ICANN will create some of these TLDs. There is even talk that they might allow people to register (at a high cost) arbitrary TLDs like .milk or .cookies. In that case, these currently-invalid certificates will become valid because they will suddenly refer to usable internet names. For example, imagine if Microsoft were able to, in the future, register the .microsoft TLD so that they could have www.microsoft for their web site address. As the Observatory shows, an attacker can probably get a CA to sign that name today. Such an attacker would be able to hijack Microsoft’s web site on the very minute the new name goes live.

Technical Fun

For the geeks among you, here is how I generated the list. (Note that the Observatory home page gives instructions on how to set up your own copy of the Observatory, and how to run it on an Amazon EC2 instance.)

First, select all the TLDs from the names table in MySQL:

mysql> select distinct substring_index(name, '.', -1) as tld
       from names
       where name regexp '^.+\\..+$'
       order by name
       into outfile '/tmp/tld5';

Then, remove the numeric “TLDs” (really, the final octet of all those IP addresses that CAs signed). For good measure, sort the list and unique it:

$ grep -vE '^[0-9]+$' /tmp/tld5 | \
  sort -u > invalid-validated-tlds.txt

You can spot-check strange names with a simple query:

mysql> select name from names where name like '%.zaventem';
| name                            |
| ciblex-exchange.ciblex.zaventem |
1 row in set (1.37 sec)

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Pls plan to call your House Rep Monday, "vote no FCC privacy repeal" If your rep is Republican, ask 5 friends too https://eff.org/gopp

Mar 24 @ 4:18pm

A loophole in Australia's copyright safe harbor rules will stay open, endangering local user-generated content sites https://www.eff.org/deeplinks...

Mar 24 @ 1:37pm

In all, @agcrocker addressed the appeals court on NSLs for more than 25 minutes. Here's the full recording. https://youtu.be/ccS06CFkZ5M

Mar 24 @ 1:09pm
JavaScript license information