Re: https://<FQDN>:<port> vs. https://<IP address>:<port>.
On Mon, Apr 10, 2023 at 3:30 PM <peter@easthope.ca> wrote:
>
> Noticed this oddity when working with the new service.
>
> $ nslookup hornby.islandhosting.com
> Server: 192.168.0.1
> Address: 192.168.0.1#53
>
> Non-authoritative answer:
> Name: hornby.islandhosting.com
> Address: 158.69.159.172
> Name: hornby.islandhosting.com
> Address: 2607:5300:203:66b5::
>
> $ nslookup mail.easthope.ca
> Server: 192.168.0.1
> Address: 192.168.0.1#53
>
> Non-authoritative answer:
> mail.easthope.ca canonical name = easthope.ca.
> Name: easthope.ca
> Address: 158.69.159.172
>
> As expected, login at https://hornby.islandhosting.com:2096 and at
> https://mail.easthope.ca:2096 appear equivalent.
>
> But for URL https://158.69.159.172:2096 Firefox warns,
>
> "Warning: Potential Security Risk Ahead
>
> Firefox detected a potential security threat and did not continue to
> 158.69.159.172. If you visit this site, attackers could try to steal
> information like your passwords, emails, or credit card details.
>
> What can you do about it?
>
> The issue is most likely with the website, and there is nothing you
> can do to resolve it. You can notify the website’s administrator
> about the problem."
>
> What is the risk from an IP address? Misconfiguration at Island Hosting
> as Firefox suggests?
The TLS certificate is bound to a domain, not an IP address:
X509v3 Subject Alternative Name:
DNS:*.islandhosting.com, DNS:islandhosting.com
The risks are, it could confuse users and allow them to be tricked. Or
it could be an attack, if the attacker controls the IP address. In
either case, the result will likely be limited to loss of
confidentiality. SO user passwords and user data could be lost to an
attacker.
Users should probably not short-circuit DNS by using an IP address
since so much of the web security model depends on domain names and
DNS.
You could ask your webhost to add an IP address to the SAN. I don't
recall if the CA/B Baseline Requirements allow an IP address in the
SAN, so a public CA may not issue one. I know the Internet's PKIX
allows it, however.
(PKIX and CA/B BR are two competing PKIs one the internet. PKIX is
from the IETF; it is called the "Internet PKI". While CA/B BR is the
CA/Browser Forum Baseline Requirements; CA/B is what browsers follow).
$ openssl s_client -connect hornby.islandhosting.com:2096 -servername
hornby.islandhosting.com | openssl x509 -text -noout
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.islandhosting.com
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
85:26:95:89:5b:6b:35:7b:c3:19:5a:ce:61:95:01:7a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O =
Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
Validity
Not Before: Nov 19 00:00:00 2022 GMT
Not After : Dec 20 23:59:59 2023 GMT
Subject: CN = *.islandhosting.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cd:93:68:87:09:e4:b1:36:7e:ce:45:89:d5:25:
9f:88:47:0f:eb:cd:85:7b:08:d5:3c:0f:04:72:53:
ee:99:e7:42:ef:18:a1:88:0b:5b:f7:9d:1f:5b:ea:
af:52:04:99:a5:a8:9c:3c:c6:5a:bb:e6:39:82:86:
9a:4a:e4:ae:4c:b9:c4:e7:c6:6f:dc:4b:99:7d:7d:
b9:70:c1:c6:9a:c7:90:7d:99:9b:34:16:50:4a:7b:
84:69:6e:a5:43:18:3d:c8:a7:e7:5b:31:66:ad:56:
c5:48:9f:a9:ed:b4:a1:9d:3b:0d:24:67:13:cc:ce:
bb:42:c9:35:f8:bf:39:a9:c4:aa:16:80:71:11:bf:
1c:bc:5e:53:2d:68:0a:36:b4:ed:79:0e:8d:aa:b1:
99:f1:26:75:e8:59:6c:95:d0:be:4a:55:fb:39:9f:
f1:ad:7a:4f:f7:ed:60:ea:52:d9:75:6d:51:6a:3f:
54:61:08:35:ae:a0:94:ff:d3:35:98:7c:38:3e:d2:
f3:57:fe:83:48:7a:cd:77:11:60:74:8f:fc:e5:f3:
12:c8:53:4a:fd:9c:e0:2d:6a:06:24:a9:39:8d:bb:
67:b8:d5:c1:13:44:c6:76:7c:bc:18:01:14:d3:36:
1f:29:87:7d:80:c5:90:c4:f0:ef:60:62:19:cb:b8:
08:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
X509v3 Subject Key Identifier:
DF:C3:D4:F5:31:BF:8F:CA:B9:66:9F:68:74:11:4A:BD:C3:C5:34:18
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.2.1
Authority Information Access:
CA Issuers -
URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.sectigo.com
X509v3 Subject Alternative Name:
DNS:*.islandhosting.com, DNS:islandhosting.com
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A
Timestamp : Nov 19 05:06:16.306 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:FE:EC:06:CB:34:C4:79:02:85:FC:71:
BF:D6:16:D9:2D:D5:D5:07:00:B8:60:4D:01:32:4E:57:
20:38:14:0C:A1:02:21:00:9C:C5:48:E8:83:7C:78:96:
03:F8:76:6F:7F:AA:A2:7E:3A:93:F9:40:20:17:E5:BA:
8E:8F:E1:9D:D6:EA:DF:03
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
Timestamp : Nov 19 05:06:16.242 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:5A:84:64:20:6C:EE:89:68:D8:32:45:7D:
5C:54:23:C6:0C:13:C4:0B:AE:84:CB:C8:AF:F9:72:66:
A2:6D:CF:0C:02:21:00:DF:53:9B:A0:CD:79:10:FB:AA:
C0:9D:75:D1:D5:8B:97:01:8C:2F:81:15:A4:B8:5D:7B:
AE:C8:26:A9:8B:25:C5
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
Timestamp : Nov 19 05:06:16.217 2022 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:C0:09:AD:6A:35:93:83:DD:5F:E8:92:
C0:77:0F:FC:B4:C2:76:9C:D9:04:D2:68:97:B9:12:08:
E7:F9:0C:5F:59:02:20:60:59:7E:8B:E1:56:5B:C4:86:
E4:FD:FA:28:94:43:1C:7D:DA:6D:AF:CD:C6:BE:E3:B3:
E7:AF:19:F8:59:B3:78
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
77:13:13:2b:47:eb:88:0c:fd:eb:d0:e2:ef:94:6b:ff:fa:ce:
3e:f5:90:c6:d6:14:32:42:a4:de:0d:bc:d7:7e:38:87:d6:19:
d8:68:72:36:05:17:07:f3:6e:b4:7b:92:22:3a:b3:bd:7d:e2:
01:8b:0e:f9:6a:97:b8:72:d4:0b:a8:28:f5:45:af:09:94:2e:
e9:a0:23:14:bc:b0:9a:ab:b0:ad:00:f0:0a:02:1a:e3:fd:56:
f3:70:48:2c:9c:4e:96:fe:10:e4:75:50:5d:81:73:9f:2f:f5:
56:92:8e:1c:2e:6d:bc:9b:22:3c:30:c0:2b:3c:a3:69:9e:9a:
6e:c5:de:81:e9:ee:17:df:c2:e8:95:f8:35:46:2f:a6:a6:4d:
39:56:2b:49:3d:8f:ab:86:aa:48:7f:a1:35:d5:96:57:e0:d3:
ef:1e:bc:49:1f:e1:62:bc:82:a8:49:4e:7c:7f:f7:04:83:e5:
d7:c8:e0:29:b2:7d:ed:5c:87:cb:0b:52:cd:e2:52:76:dc:c5:
3f:04:bc:49:a3:73:82:87:ed:47:6c:bf:9e:02:29:9b:19:bd:
9c:b4:d8:4b:2e:05:54:41:a5:d3:25:30:80:7d:c9:61:6e:85:
3c:4a:d4:47:aa:4b:a6:fd:45:41:0f:5a:3d:45:54:b9:e5:94:
4e:1f:0b:4a
Here's what a certificate request configuration file looks like with
an IP in the SAN:
https://www.cryptopp.com/wiki/X509Certificate#OpenSSL_x509 . But like
I said, I'm not sure a public CA will issue one since the CA/B BR may
not allow it.
Jeff
Reply to: