Fully-qualified Nonsense in the SSL Observatory
Yesterday, I posted about how internet certification authorities will sign unqualified names, which have no meaning on the internet.
In addition to unqualified names being meaningless — or, worse than meaningless — there are also meaningless fully-qualified names. And, yes, CAs will sign those names too.
As you may know, the internet domain name system (DNS) has a hierarchical structure: at the top are the top-level domains (TLDs) like .com, .org, and .net. Additionally, each two-letter ISO country code like UK, JP, and CN is also a valid country-code TLD (ccTLD). Finally, there are the lesser-known TLDs like .mobi, .museum, and .int.
Although you can register most any name (that contains letters, numbers, dashes, and arguably underscores) underneath the TLDs, the set of TLDs is fixed. Although ICANN might someday approve a .mars TLD for the red planet, they have not yet done so. If you try to browse to www.olympus-mons.mars, you won’t get anywhere. (Yet.)
However, CAs will sign certificates vouching for the identities of servers under non-existent TLDs and for names that are not legal DNS names (such as phrases containing spaces). Attached to this post, below, is a file containing a list of all the distinct TLDs in all the CA-validated names that the EFF SSL Observatory has observed.
The vast majority of TLDs in the list are invalid and have no meaning on the internet. Browsing it, you’ll see lots of names that are not internet TLDs, like .public, .priv, .nyc, .84/exchange, and so on. My favorite invalid TLD in the list is .foo, a technical term meaning “whatever”.
It might happen that someday ICANN will create some of these TLDs. There is even talk that they might allow people to register (at a high cost) arbitrary TLDs like .milk or .cookies. In that case, these currently-invalid certificates will become valid because they will suddenly refer to usable internet names. For example, imagine if Microsoft were able to, in the future, register the .microsoft TLD so that they could have www.microsoft for their web site address. As the Observatory shows, an attacker can probably get a CA to sign that name today. Such an attacker would be able to hijack Microsoft’s web site on the very minute the new name goes live.
For the geeks among you, here is how I generated the list. (Note that the Observatory home page gives instructions on how to set up your own copy of the Observatory, and how to run it on an Amazon EC2 instance.)
First, select all the TLDs from the names table in MySQL:
mysql> select distinct substring_index(name, '.', -1) as tld from names where name regexp '^.+\\..+$' order by name into outfile '/tmp/tld5';
Then, remove the numeric “TLDs” (really, the final octet of all those IP addresses that CAs signed). For good measure, sort the list and unique it:
$ grep -vE '^[0-9]+$' /tmp/tld5 | \ sort -u > invalid-validated-tlds.txt
You can spot-check strange names with a simple query:
mysql> select name from names where name like '%.zaventem'; +---------------------------------+ | name | +---------------------------------+ | ciblex-exchange.ciblex.zaventem | +---------------------------------+ 1 row in set (1.37 sec)