{"id":1166,"date":"2017-05-25T11:42:47","date_gmt":"2017-05-25T16:42:47","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=1166"},"modified":"2017-05-25T11:48:01","modified_gmt":"2017-05-25T16:48:01","slug":"ok-google","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=1166","title":{"rendered":"OK, Google"},"content":{"rendered":"<p>Chrome 58 was released last month &#8211; and since then, I&#8217;ve gotten a LOT of certificate errors. Especially internally (Windows CA signed certs @ home and @ work). It&#8217;s really annoying &#8211; yeah, we don&#8217;t have SAN dnsHost attributes defined. And I know the RFC says falling back to CN is deprecated (seriously, search\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc2818\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/tools.ietf.org\/html\/rfc2818<\/a> for subjectAltName)\u00a0<em>but\u00a0<\/em>the same text was in there in 1999 &#8230; so not exactly a new innovation in SSL policy. Fortunately there&#8217;s a <a href=\"https:\/\/www.chromium.org\/administrators\/policy-list-3#EnableCommonNameFallbackForLocalAnchors\" target=\"_blank\" rel=\"noopener noreferrer\">registry key <\/a>that will override this\u00a0<em>for now<\/em>.<\/p>\n<p>The problem I have with SAN certificates is exemplified in Google&#8217;s cert on the web server that hosts the chromium changes site:<\/p>\n<p><a href=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2017\/05\/GoogleCertWithSANs.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1167\" src=\"http:\/\/lisa.rushworth.us\/wp-content\/uploads\/2017\/05\/GoogleCertWithSANs.png\" alt=\"\" width=\"470\" height=\"624\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/05\/GoogleCertWithSANs.png 470w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2017\/05\/GoogleCertWithSANs-226x300.png 226w\" sizes=\"auto, (max-width: 470px) 100vw, 470px\" \/><\/a><\/p>\n<p>Seriously &#8211; this certificate ensures that the web site is any of these hundred wild-carded hostnames &#8230; and the more places you use a certificate, the greater the possibility of it being compromised. I get why people like wildcards &#8212; UALR was able to buy one cert &amp; use it across the entire organisation. Cost effective\u00a0<em>and<\/em> easy. The second through nth guy who wanted an SSL cert didn&#8217;t need to go about establishing his credentials within the organisation. He didn&#8217;t have to figure out how to make a cert request or how to pay for it. Just ask the first guy for a copy of his public\/private key pair. Or run everything through your load balancer on the wildcard certificate &amp; trust whatever backend cert happens to be in place.<\/p>\n<p><em><strong>But<\/strong><\/em> the point of security\u00a0design is\u00a0<em>not<\/em> trusting large groups of people do act properly. To secure their data appropriately. To patch their systems, configure their system to avoid attacks, to replace the certificate EVERYWHERE every TIME someone leaves the organisation, and otherwise prevent a certificate installed on dozens of servers from being accessed by a malicious party. My personal security preference would be seeing a\u00a0browser flag every time a cert has a wildcard or more than one SAN.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chrome 58 was released last month &#8211; and since then, I&#8217;ve gotten a LOT of certificate errors. Especially internally (Windows CA signed certs @ home and @ work). It&#8217;s really annoying &#8211; yeah, we don&#8217;t have SAN dnsHost attributes defined. And I know the RFC says falling back to CN is deprecated (seriously, search\u00a0https:\/\/tools.ietf.org\/html\/rfc2818 for &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[207,206,208,209],"class_list":["post-1166","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-ca","tag-certificates","tag-san","tag-subject-alternative-name"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1166","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1166"}],"version-history":[{"count":4,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1166\/revisions"}],"predecessor-version":[{"id":1171,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1166\/revisions\/1171"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}