Are we inviting any problems if we add localhost and 127.0.0.1 to the subject alternative name field of an x509 certificate?
We are still trusting the appropriate root CA, but relaxing the rules of the name just a bit.
Asked
Active
Viewed 242 times
2
RockPaperLz- Mask it or Casket
- 3,114
- 21
- 50
salparadise
- 123
- 3
-
CAs won't issue such certificates, [apparently](https://stackoverflow.com/q/6793174/1748148). But you can workaround with localhost.yourdomain.com. – gowenfawr Sep 21 '21 at 00:15
-
@gowenfawr Figured, however this is for internal use. – salparadise Sep 21 '21 at 00:24
1 Answers
1
The purpose of certificate is to prove that the owner is who the one claims to be. For instance, random people cannot get certificate for www.microsoft.com or www.google.com. Only the owner of these web sites can get such certificates.
But every host can be referred as localhost. Thus, everyone could actually get certificate for localhost. Thus, if you establish connection to localhost and get any certificate issued by any trusted CA, you cannot know if this is your certificate for localhost or certificate of some other party. Thus, despite valid certificate, you would not know who you are talking to.
A consequence is a possibility of man in the middle attack. If somebody intercepts your traffic to localhost and uses another certificate for localhost, such interception cannot be detected, because everyone could get a valid certificate for localhost.
mentallurg
- 8,536
- 4
- 26
- 41