Certificate authority Comodo admits it incorrectly issued eight certificates that include forbidden internal server names or reserved IP addresses.

In 2012, the Certificate Authority/Browser Forum banned the use of such designations for certs issued after Nov. 1, 2015. The decision was meant to cut off a common practice of CAs issuing certificates for internal servers that were not unique and exposed networks to man-in-the-middle attacks and other risks.

Comodo senior research and development scientist Rob Stradling wrote in a post to the CA/B forum that last Thursday it discovered that its CA system had issued the offending certs.

“We immediately set about investigating and found that there was a subtle bug in a code change that we had deployed to our CA system on 30th October 2015,” Stradling wrote. “The intent of this code change was to help ease the pain of the 1st November 2015 transition, by automatically deleting all Internal Names and Reserved IP Addresses from a certificate request just prior to issuing the certificate.”

Stradling said that the code change that introduced the bug removed a notAfter designation for Nov. 1, 2015.

“The nature of the bug is that our certificate issuance code still saw the ‘deleted’ names,” Stradling wrote. “(The developer had not realized that our certificate issuance code runs in a separate SQL context, and so it was necessary to commit the deletions immediately). Despite our code review and QA processes, this bug still made it into production code.”

Comodo said it pushed out a hotfix within hours, contacted its affected customers, and revoked the certificates.

Comodo listed the eight offending certs in its advisory, two of which are extremely common internal server names: help and mailarchive, issued to Unified Communications hosted at the University of Colorado and Ardagh Glass Group Plc.

Stradling said that Comodo is not alone among CAs that have issued such certs.

“We widened our investigation to look for certificates with notBefore >= 2nd November 2014 that chain to publicly trusted roots and include any Internal Names or Reserved IP Addresses,” he wrote. “We found non-compliant certificates issued by quite a number of other CAs, but I’ll document these in another post.”

Categories: Privacy, Vulnerabilities, Web Security