3

We've recently acquired a new .Care domain and are attempting to install a SSL certificate. Whilst FF and IE are perfectly happy with the certificate - both display the padlock, Chrome is not and displays the following:

"The identity of this website has not been verified. The identity of the server you are connected to cannot be fully validated. You are connected to a server using a name only valid within your network, which an external certificate authority has no way to validate ownership of. As some certificate authorities will issue certificates for these names regardless, there is no way to ensure you are connected to the intended website and not an attacker."

The cert chains are valid, and after some digging, it appears the source of this is the way that Chrome interprets TLDs and any that it doesn't recognise, treats as non-unique.

Have we done something wrong in the way we have installed the cert? Is this a bug in Chrome? If so is there a workaround?

SWa
  • 83
  • 4
  • 3
    Sounds like a bug in Chrome to me. – Michael Hampton Sep 11 '14 at 12:25
  • @MichaelHampton Thanks, I was afraid of that, I was hoping it was something we'd done wrong - at least that would have been easier to fix! – SWa Sep 11 '14 at 12:28
  • Please link to the bug report you filed. – Michael Hampton Sep 14 '14 at 16:24
  • I reported an issue as described here https://support.google.com/chrome/answer/95315?hl=en-GB, I can't see a way to track it however. Is there somewhere else I should report this also? – SWa Sep 14 '14 at 16:55
  • 1
    What is the actual domain name? – Joe Sniderman Sep 14 '14 at 20:19
  • I am curious as to what are those CAs that would issue certificates for internal names, and what are the actual TLDs in those certificates. – kasperd Sep 14 '14 at 21:08
  • The full URL is https://mywaste.care – SWa Sep 14 '14 at 22:14
  • I cannot see any problems with your certificate. My Chrome browser (Version 35.0.1916.153, Linux OS) accepts it. – Uwe Plonus Sep 15 '14 at 14:17
  • 1
    I can confirm this with Chromium 34.0.1847.116 on Linux i686. It says nothing more than 'The identity of this website has not been verified.'. Probably a bug that has been fixed in 35? And please turn off SLL2, and the insecure Client-Initiated Renegotiation, both have known sec issues. – sebix Sep 15 '14 at 18:23
  • YES PLEASE FIX THE SERVER CONFIG. YOUR SITE IS NOT SECURE. SSLv2, Insecure Renegotiation, RC4, And MD5!!! WTF! – Joe Sniderman Sep 20 '14 at 15:25

1 Answers1

6

This is a bug in Chrome. You can see in the code that Chrome maintains a list of registry controlled domains and that it needs updated as each gTLD is added.

You can see in the effective_tld_names.dat file that the .care domain is not listed, though its listed for other browsers that use a more recent version of the Public Suffix List.

This is what causes Chrome to believe your domain is not unique, it thinks its not controlled by a registrar, which means anyone could use it.

Thai Wood
  • 353
  • 2
  • 8