←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 7 comments | 01 Apr 18 12:14 UTC | HN request time: 1.438s | source | bottom
1. tomputer ◴[01 Apr 18 12:39 UTC] No.16727955[source]
Today I learned that it is possible to request a certificate for an IP address.
replies(2): >>16728013 #>>16728082 #
2. tialaramex ◴[01 Apr 18 12:52 UTC] No.16728013[source]
Yup, the Subject Alternative Name (often misunderstood as an alias, but "Alternative" here is meant in the sense of this is the Internet's _Alternative_ way to name things versus the X.500 series directory hierarchy that the X.509 certificates are originally intended for) can be one of several distinct types, the two relevant for servers are dnsName and ipAddress. dnsName can be any er, name, in the DNS hierarchy, or, as a special case, a "wildcard" with asterisks, whereas ipAddress can be any type of IP address, currently either IPv4 or IPv6.

The Baseline Requirements agreed between Web Browser vendors and root Certificate Authorities dictate how the CA can figure out if an applicant is allowed a certificate for a particular name, for dnsNames this is the Ten Blessed Methods, for ipAddress the rules are a bit... eh, rusty, but the idea is you can't get one for that dynamic IP you have from your cable provider for 24 hours, but somebody who really controls the IP address can get one. They're uncommon, but not rare, maybe a dozen a day are issued?

Your web browser requires that the name in the URL exactly matches the name in the certificate. So if you visit https://some-dns-server.example/ the certificate needs to be for some-dns-server.example (or *.example) and a certificate for 1.1.1.1 doesn't work, even if some-dns-server.example has IP address 1.1.1.1 - so this cert is only useful because they want people actually typing https://1.1.1.1/ into browsers...

[edited, I have "Servers" on the brain, it's _Subject_ Alternative Name, you can use them to name email recipients, and lots of things that aren't servers]

replies(2): >>16728059 #>>16728142 #
3. tomputer ◴[01 Apr 18 13:03 UTC] No.16728059[source]
Thanks for the clarification. I did know it was possible when setting up CA's for VPN servers, they can use certificates with DNS and/or IP as identifiers. Somehow I never thought about certificates for public IP addresses.
replies(1): >>16730180 #
4. dorfsmay ◴[01 Apr 18 13:09 UTC] No.16728082[source]
Edit: I had not realised what the parent comment here meant, that you can coonect to an IP address without getting an error by adding the IP to the SAN. My explanation bellow is about finding certs installed for a given IP/hotname, typically with openssl.

Yes, but...

This only works if they don't use SNI[1]. If they use SNI then you just get the default cert. They might have more certs for other hostnames served on that IP address.

1: https://en.wikipedia.org/wiki/Server_Name_Indication

5. shawnz ◴[01 Apr 18 13:23 UTC] No.16728142[source]
Using an ip instead of a domain name like this allows the possibility of dns rebinding attacks, right?
replies(1): >>16728216 #
6. zAy0LfpBZLC8mAC ◴[01 Apr 18 13:45 UTC] No.16728216{3}[source]
What would be rebound to what?
7. jlgaddis ◴[01 Apr 18 20:11 UTC] No.16730180{3}[source]
FWIW, until a few years ago, it was also possible to get certificates for private IP addresses (and "private" hostnames, such as .local).