written by James Larisch on December 4th, 2020.
This story is false, but the observations are not.
One day, in the Montenegro TLS Certificate Issuance Office, the Bureaucrat asked the Intern to issue a new TLS certificate for the Government of Montenegro. This TLS Certificate, the Bureaucrat told the Intern, should be valid for all domains under
gov.me. In other words, it should be valid for
By valid, we mean that browsers must be able to successfully open a TLS (via HTTPS) connection to
www.gov.me as long as the corresponding web server serves this yet-to-be-created certificate (and the rest of the chain). Furthermore, this exact same certificate, per the Bureaucrat’s orders, must be valid for
gov.me, and every other domain for which the suffix is
(.)gov.me. We will put aside the fact that issuing a certificate which is valid for all domains across an entire government is a questionable idea.
On September 9th, 2020, the Intern issues this certificate. Note that browsers will reject a TLS certificate if the name(s) it was issued for does not match the domain name requested (i.e. you can’t serve a certificate for
yahoo.com if the browser is trying to connect to
google.com). But there are two domain name fields. Where do certificates store this name? They used to store it in the
Subject X.509 field, where you would find it after
CN = (denoted the Common Name). The Common Name was deprecated in favor of the X.509 extension
Subject Alternative Names. (As an aside, note that Firefox respects the Common Name if no Subject Alternative Name extension is present, whereas Chrome will never respect the Common Name).
We see the above certificate’s Subject Alternative Names here:
X509v3 Subject Alternative Name: DNS:*.gov.me DNS:*.mif.gov.me DNS:kzcg.gsv.gov.me DNS:uzkd.mku.gov.me DNS:uzi.mrs.gov.me DNS:crsport.ms.gov.me DNS:vojska.mod.gov.me DNS:nvo.mju.gov.me DNS:www.euprava.me
We see a wildcard
*.gov.me. Clearly the Intern is trying to follow the Bureaucrat’s orders — the Intern believes this certificate will be valid for all domains under
gov.me. The Intern distributes this certificate across all government webservers.
The Bureaucrat wakes up the next day and tries to access
www.gov.me from both Chrome and Firefox. To his delight, it works in Firefox. Unfortunately it does not work in Chrome.
gov.me is on the public suffix list. Chrome does not allow wildcards to the left of domains on the public suffix list (in the Subject Alternative Name). You can see list of domains for which Chrome rejects such certificates here. You’ll notice
Firefox, however, only checks whether there are at least two labels to the right of the wildcard. This means
*.gov.me is allowed, while
*.com is not.
What do the standards say? The Certificate Authority / Browser (CA/B) Forum Baseline Requirements claims CAs should issue such certificates (with wildcards to the left of public suffixes) if the requesting entity can prove that they own the entire domain space. See this, section 22.214.171.124. They also say that there is no standardized way of determining what a “registry-controlled” domain space is, so using the Public Suffix List is best practice.
There’s an interesting discussion between Firefox devs, Chrome devs, and the maintainer of the Public Suffix List here.
After noticing the failure in Chrome, the Bureaucrat became angry. The Bureaucrat instructed the Intern to fix it. So the Intern did what all great programmers do — hardcoded the solution. Here is the subsequent certificate’s Subject Alternative Names list, issued two days later:
X509v3 Subject Alternative Name: DNS:*.gov.me DNS:*.mif.gov.me DNS:gov.me DNS:mif.gov.me DNS:www.gov.me DNS:dpcovid19.gov.me DNS:kzcg.gsv.gov.me DNS:uzkd.mku.gov.me DNS:uzi.mrs.gov.me DNS:crsport.ms.gov.me DNS:vojska.mod.gov.me DNS:nvo.mju.gov.me DNS:www.euprava.me DNS:gsv.gov.me DNS:predsjednik.gov.me DNS:potpredsjednikekon.gov.me DNS:predsjpol.gov.me DNS:potpredsjednikregraz.gov.me DNS:mpa.gov.me DNS:mup.gov.me DNS:mvpei.gov.me DNS:mps.gov.me DNS:mna.gov.me DNS:mku.gov.me DNS:mek.gov.me DNS:msp.gov.me DNS:mpr.gov.me DNS:mmp.gov.me DNS:mrt.gov.me DNS:mzd.gov.me DNS:mrs.gov.me DNS:ms.gov.me DNS:mbezportfe.gov.me DNS:poreskauprava.gov.me DNS:upravacarina.gov.me DNS:uzd.gov.me DNS:luckauprava.gov.me DNS:ubh.gov.me DNS:upravazavode.gov.me DNS:ujr.gov.me DNS:foj.gov.me DNS:uip.gov.me DNS:mha.gov.me DNS:uzi.gov.me DNS:uzk.gov.me DNS:szz.gov.me DNS:srp.gov.me DNS:zavodzaskolstvo.gov.me DNS:nsa.gov.me DNS:konk.gov.me DNS:mod.gov.me DNS:antitrafficking.gov.me DNS:mju.gov.me DNS:cso.gov.me DNS:ti.gov.me DNS:svo.gov.me DNS:fondrada.gov.me DNS:fzo.gov.me DNS:up.gov.me DNS:anb.gov.me DNS:kkdp.gov.me DNS:srju.gov.me DNS:szr.gov.me DNS:cfcu.gov.me DNS:zzm.gov.me DNS:ipard.gov.me DNS:szp.gov.me DNS:uis.mif.gov.me DNS:akvo.gov.me DNS:kei.gov.me DNS:ziks.gov.me DNS:kinns.gov.me DNS:dk.gov.me DNS:kzz.gov.me DNS:uzs.gov.me DNS:uzz.gov.me DNS:ups.gov.mae