Following that discovery, I've search for odd (invalid?) DNS names.
Here is the list of certificated I've found, it may overlap some
discovery already reported.
If I'm correct, theses certificate are not revoked, not expired, and
probably trusted by Mozilla (crt.sh issuer are marked trusted by
Mozilla, but not all).
Starting with *:
https://crt.sh/?id=7211484 *eis.aetc.af.mil
https://crt.sh/?id=10714112 *g10.net-lab.net
https://crt.sh/?id=48682944 *nuvolaitaliana.it
https://crt.sh/?id=15736178 *assets.blog.cn.net.ru
https://crt.sh/?id=17295812 *dev02.calendar42.com
https://crt.sh/?id=15881220 *dev.1septem.ru
https://crt.sh/?id=15655700 *assets.blog.cn.net.ru
https://crt.sh/?id=17792808 *quickbuild.raptorengineering.io
Starting with -:
https://crt.sh/?id=54285413 -d1-datacentre-12g-console-2.its.deakin.edu.au
https://crt.sh/?id=78248795 -1ccenter.777chao.com
Multiple *.:
https://crt.sh/?id=13299376 *.*.victoria.ac.nz
https://crt.sh/?id=44997156 *.*.rnd.unicredit.it
https://crt.sh/?id=5982951 *.*.int.swisscom.ch
Internals TLD:
https://crt.sh/?id=33626750 a1.verizon.test
https://crt.sh/?id=33123653 DAC38997VPN2001A.trmk.corp
https://crt.sh/?id=42475510 naccez.us.areva.corp
https://crt.sh/?id=10621703 collaboration.intra.airbusds.corp
https://crt.sh/?id=48726306 zdeasaotn01.dsmain.ds.corp
Are CAs allowed to deliver such certificates?
(Methodology: https://blog.tdelmas.ovh/crt-sh/ with the links for
expired/revoked certificates)
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy