07 Apr

Electronic Frontier Foundation – Fully-qualified Nonsense in the SSL Observatory

Yesterday, I posted about how internet certification authorities will sign unqualified names, which have no meaning on the internet.

In addition to unqualified names being meaningless — or, worse than meaningless — there are also meaningless fully-qualified names. And, yes, CAs will sign those names too.

As you may know, the internet domain name system (DNS) has a hierarchical structure: at the top are the top-level domains (TLDs) like .com, .org, and .net. Additionally, each two-letter ISO country code like UK, JP, and CN is also a valid country-code TLD (ccTLD). Finally, there are the lesser-known TLDs like .mobi, .museum, and .int.

Although you can register most any name (that contains letters, numbers, dashes, and arguably underscores) underneath the TLDs, the set of TLDs is fixed. Although ICANN might someday approve a .mars TLD for the red planet, they have not yet done so. If you try to browse to www.olympus-mons.mars, you won’t get anywhere. (Yet.)

However, CAs will sign certificates vouching for the identities of servers under non-existent TLDs and for names that are not legal DNS names (such as phrases containing spaces). Attached to this post, below, is a file containing a list of all the distinct TLDs in all the CA-validated names that the EFF SSL Observatory has observed.

via Electronic Frontier Foundation – Fully-qualified Nonsense in the SSL Observatory. What stupidity.