Comodo issued SSL certs with banned internal names

A bug in digital certificate issuer Comodo's production system saw the company issue secure sockets layer/transport layer security (SSL/TLS) credentials for internal names and internet protocol addresses, which could be used in man-in-the-middle attacks. 

Comodo research and development scientist Rob Stradling revealed the vulnerability in an incident transparency report on the public certificate authority/browser forum (Cabforum) mailing list. 

Stradling said a code change in the company's system had misfired and failed to delete internal names and IP addresses from certificate requests. 

Such internal names and non-internet routable IP addresses are banned by the Cabforum's baseline requirements [pdf], which certificate authorities have to adhere to in order for their credentials to be trusted by major browser vendors. 

Using internal names and private RFC 1918 internet addresses in digital certificates is common practice in many organisations' local area networks to access servers and other resources with SSL/TLS authentication and encryption. 

However, certificates with generic names and private IP addresses could be used by attackers to impersonate the resources or networks they authenticate, leading to silent interception of user communications. 

Cabforum has long recognised this risk, and its basic requirements state "the practice will be eliminated by October 2016". It requires certificate authorities to revoke all unexpired credentials by the first of that month, and not issue any certs with expiry dates later than November 1, 2015. 

The eight Comodo certificates included generic host names such as "help",  "sums-prod", "hie_stage_user", "mailarchive", and "aits-macl" as well as two .local non-registered internal domains. 

Stradling said Comodo's developers sought to remove the generic names and private IP addresses from the certificates, as the company believed that was preferrable over customers not having credentials at all. 

However, since the developer behind the code change did not realise Comodo's certificate issuance code runs in a separate structured query language context, the deletions were not committed to the database immediately. 

As a result, Stradling said, Comodo's certificate issuance system still saw the names that should have been deleted, but weren't. 

Comodo discovered the certificates with the banned internal names last week, and issued a fix for the issue.  

The eight certificates have since then been revoked, but Stradling warned Comodo was not alone in having issued such credentials. 

A wider investigation of certificates that chain to publicly trusted roots found non-compliant credentials issued "by quite a number of other certificate authorities," Stradling said. 

He said he intends to document the non-compliant certificates in a later transparency report.