Hi, Ive been working on a very large forensic case in US/Canada and Ive pin pointed a major issue...There are people exploiting this flaw...Ive seen lots of these bad certificates that shows up as good and are used to proxy data...
Youve probable seen the ATP group using satellites... They also use the Microsoft Sysinternal tools like psexec and others to sign their drivers because these tools are already signed by Microsoft... Ive seen a bot searching for DNSSEC non secure attributes. Most of the organizations have secured downstream, but not upstream...so they exploit any non secure attributes on top of them. Then leverage cross-side scripting/cookie injection so the referrer is the good site but the real access goes to the other site above (usually malicious..) Check facebook --> http://dnsviz.net/d/facebook.com/dnssec/ After they find a registrar for .com domains and can register zzzz.com.facebook.com https://pir.org/products/find-a-registrar/ I used your crt.sh tool and found many... https://crt.sh/?q=1E%3ABD%3A89%3A4C%3A76%3A9F%3A24%3A84%3AF5%3A39%3A0F%3A24%3AF3%3A10%3A9E%3AB6%3A62%3A6F%3A75%3AE2 Subject: commonName = *.opensrs.com organizationalUnitName = Operations organizationName = Tucows.com Co. localityName = Toronto stateOrProvinceName = Ontario countryName = CA If you also take in consideration your file here http://data.iana.org/TLD/tlds-alpha-by-domain.txt This one below is really bad for all OWA Outlook Web Access sites on internet...Many, many use webmail has the name like webmail.company.com. processing ../certs/12.x.x.x/12.x.x.143/12.41.18.143.results Violations: storemail,webmail Valid: Yes Root: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL SGC CA _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
