Tricks used by software developers to https://127.0.0.1
Posted by jpluimers on 2021/09/07
Long interesting thread at [WayBack] Thread by @sleevi_: “@SwiftOnSecurity So, some history: It used to be folks would get certs for “localhost”, just like they would from “webmail”, despite no CA e […]”
In 2019, applications were still using tricks (including shipping private keys!) to “securely” access https://127.0.0.1 on some port.
This should have stopped in 2015, but hadn’t. I wonder how bad it still is today.
Related:
- [WayBack] SwiftOnSecurity on Twitter: “Me: Threat-hunting rare DNS lookups in a corporate network. Confluence: … “
- [WayBack] Tavis Ormandy on Twitter: “Yes, it happens sometimes, as soon as someone pulls out the key the CA is required to revoke it. They probably did it to avoid mixed-content warnings, as you can probably guess… it’s not the correct solution. Anyone using this app is vulnerable to trivial MITM 😣… https://t.co/Dqpe5Z9hUu”
- [WayBack] Tavis Ormandy on Twitter: “I pulled out the certificates here, they do seem valid at first glance, not sure why they didn’t get logged in CT. 😆 https://t.co/LyB26oaW5S… https://t.co/DUNIByLSTl”
- [WayBack] Tavis Ormandy on Twitter: “It seems like Atlassian are a CVE CNA, you can ask them to assign a CVE if you like! (seriously, this is a real vulnerability) … “
- [WayBack] SwiftOnSecurity sur Twitter : “Thank you Tavis, I’ve always wondered what it would be like to have a CVE (even if you granted me the courtesy and I didn’t really do much). Thank you a lot. I’ve emailed them and asked for a CVE.… “
- [WayBack] Tavis Ormandy on Twitter: “This turned out to be a real vulnerability! 😮 The certificate was issued by @digicert, who are now required to revoke it. It was issued before mandatory CT, so didn’t show up in …. See … for context.…”
- [WayBack] Ryan Sleevi on Twitter: “So, some history: It used to be folks would get certs for “localhost”, just like they would from “webmail”, despite no CA ever having validated the name. They just relied on pinky promises to be good. Luckily, browsers forbid that … “
- [WayBack] Ryan Sleevi on Twitter: “Look at the dates on those. Yes, it’s a things CAs used to do, and they had to be dragged kicking and screaming into not doing it (and even then, *many* ignored/“oopsied” the requirement to revoke). I regret to inform you it didn’t stop until 2015/2016 – … “
- [WayBack] Guidance on Internal Names – CAB Forum
- [Archive.is] HTTPS encryption on the web – Google Transparency Report: atlassian-domain-for-localhost-connections-only.com
- [Archive.is] HTTPS encryption on the web – Google Transparency Report
- SubjectC=AU, O=Atlassian Pty Ltd, L=Sydney, ST=New South Wales, CN=atlassian-domain-for-localhost-connections-only.com
- Serial NumberA:3E:93:53:0E:74:53:AE:CB:40:BA:20:10:12:F8:FB
- IssuerC=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CAValidity11 May 2017 — 15 May 2020
- The domain is (at the time of writing, so hopefully that is now “was”) used by the [WayBack] Administering the Atlassian Companion App – Atlassian Documentation
- At the time of writing, the interactive Google DNS showed the domain pointing to localhost [WayBack] Google Public DNS:
Result for atlassian-domain-for-localhost-connections-only.com/A with DNSSEC validation:
{ "Status": 0, "TC": false, "RD": true, "RA": true, "AD": false, "CD": false, "Question": [ { "name": "atlassian-domain-for-localhost-connections-only.com.", "type": 1 } ], "Answer": [ { "name": "atlassian-domain-for-localhost-connections-only.com.", "type": 1, "TTL": 1620, "data": "127.0.0.1" } ] } - [Archive.is/WayBack] SSL Server Test: atlassian-domain-for-localhost-connections-only.com (Powered by Qualys SSL Labs)
Assessment failed: IP address is from private address space (RFC 1918)
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment