←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 3 comments | 01 Apr 18 12:14 UTC | HN request time: 0.645s | source
1. phoe-krk ◴[01 Apr 18 12:59 UTC] No.16728046[source]
I find it slightly amusing that they do not need to register a domain name for that one.
replies(1): >>16728502 #
2. 0x006A ◴[01 Apr 18 14:40 UTC] No.16728502[source]
to get the ssl certificate they had to get a domain: cloudflare-dns.com, ips only works as alternative names but not as the main domain name.
replies(1): >>16728831 #
3. tialaramex ◴[01 Apr 18 15:41 UTC] No.16728831[source]
Nope, certificates can be, and sometimes are, issued for plain IP addresses, yes including in the Web PKI ("proper" certificates that work in common web browsers).

Because the BRs say that the subject Common Name, if present (which it usually will be for really crappy software that still doesn't implement standards from _last god-damn century_) must be chosen from the list of SANs, these certificates will have an IP address as their CN, plus an ipAddress SAN.

Here is an example, which my records say had an IP address as its only name, but at time of writing crt.sh is timing out for me so forgive me if this some completely unrelated cert and I've pasted the wrong one:

https://crt.sh/?id=346170629