Why does my browser think that https://1.1.1.1 is secure?

134

When I visit https://1.1.1.1, any web browser I use considers the URL to be secure.

This is what Google Chrome shows:

Normally, when I try to visit an HTTPS site via its IP address, I get a security warning like this:

From my understanding, the site certificate needs to match the domain, but the Google Chrome Certificate Viewer does not show 1.1.1.1:

GoDaddy's knowledgebase article "Can I request a certificate for an intranet name or IP address?" says:

No - we no longer accept certificate requests for either intranet names or IP addresses. This is an industry-wide standard, not one specific to GoDaddy.

^{_{(emphasis mine)}}

And also:

As a result, effective October 1, 2016, Certification Authorities (CAs) must revoke SSL certificates that use intranet names or IP addresses.

^{_{(emphasis mine)}}

And:

Instead of securing IP addresses and intranet names, you should reconfigure servers to use Fully Qualified Domain Names (FQDNs), such as www.coolexample.com.

^{_{(emphasis mine)}}

It's well after the mandatory revocation date 01 October 2016, yet the certificate for 1.1.1.1 was issued on 29 March 2018 (shown in the screenshot above).

How is it possible that all the major browsers think that https://1.1.1.1 is a trusted HTTPS website?

Deltik

Posted 2018-04-12T04:05:16.987

Reputation: 16 807

10Worth pointing out there is a huge difference between 192.168.0.2 and 1.1.1.1. One 192.168.0.2 doesn't exist outside of your intranet. If you created your own self-signed certificate 192.168.0.2 would be trusted, and you could use the same approach for the SAN, on a domain like fake.domain. Worth pointing out that 1.1.1.1 isn't a reserved IP address, so it appears, any CA would have issued the certificate. – Ramhound – 2018-04-12T04:54:30.623

12https://blog.cloudflare.com/announcing-1111/ "We're excited today to take another step toward that mission with the launch of 1.1.1.1 — the Internet's fastest, privacy-first consumer DNS service. " – None – 2018-04-12T06:14:20.633

11I think you bracketet the sentence wrong. They probably meant 'must revoke SSL certificates that use intranet (names or IP addresses)' not ''must revoke SSL certificates that use (intranet names) or IP addresses'. – Maciej Piechotka – 2018-04-12T07:47:19.800

1@MaciejPiechotka is correct, this means "must revoke SSL certificates that use intranet names or intranet IP addresses" – Ben – 2018-04-12T11:53:43.080

1@MaciejPiechotka: The article also has a sentence beginning with “Instead of securing IP addresses and intranet names,” which can only be bracketed as “Instead of securing (IP addresses) and (intranet names).” – Deltik – 2018-04-12T12:52:42.580

This was covered in a recent episode of podcast Security Now by Steve Gibson, episode 557. Transcript. MP3 file

– Peter Mortensen – 2018-04-12T18:00:34.730

1@Deltik "Instead of securing cats and dogs and other domestic pets". Does this imply that cats and dogs are not domestic? Even if you cannot "bracket" it in that way, semantically you still can. Natural language is incredibly ambiguous sometimes. – Bakuriu – 2018-04-13T20:10:56.533

2BTW...there's no such thing as a mandatory revocation. Literally no organization on Earth has that kind of power. The closest you get is a bunch of CAs agreeing to do a thing. – cHao – 2018-04-13T21:39:04.240

You're confusing yourself and others by claiming that the certificate for 1.1.1.1 was issued. Clearly not true as the certificate is issued to *.cloudflare-dns.com and not an IP address. The only thing left to answer is whether the browser is performing reverse DNS lookup (1dot1dot1dot1.cloudflare-dns.com) or is it reading the IP from Subject Alternative Name in the certificate.

– Vlastimil Ovčáčík – 2018-04-18T13:42:45.880

@curiousguy that would be wrong conclusion drawn from what I said, especially because I literally state that the IP address is listed in certificate's SAN. – Vlastimil Ovčáčík – 2018-06-23T08:37:19.823

@VlastimilOvčáčík OK I was confused by the phrase "not true as the certificate is issued to *.cloudflare-dns.com and not an IP address". I read that as saying "the certificate is not issued to 1.1.1.1". I'm still NOT sure what that means. – curiousguy – 2018-06-23T08:54:36.627

Answers

English is ambiguous. You were parsing it like this:

(intranet names) or (IP addresses)

i.e. ban the use of numeric IP addresses entirely. The meaning that matches what you're seeing is:

intranet (names or IP addresses)

i.e. ban certificates for the private IP ranges like 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, as well as for private names that aren't visible on the public DNS.

Certificates for publicly routable IP addresses are still allowed, just not generally recommended for most people, especially those who don't also own a static IP.

This statement is advice, not a claim that you can't secure a (public) IP address.

Instead of securing IP addresses and intranet names, you should reconfigure servers to use Fully Qualified Domain Names (FQDNs), such as www.coolexample.com

Maybe someone at GoDaddy was misinterpreting the wording, but more likely they wanted to keep their advice simple, and wanted to recommend using public DNS names in certificates.

Most people don't use a stable static IP for their service. Providing DNS services is the one case where it's truly necessary to have a stable well-known IP instead of just a name. For anyone else, putting your current IP in your SSL cert would constrain your future options, because you couldn't let someone else start using that IP. They could impersonate your site.

Cloudflare.com has control of the 1.1.1.1 IP address themselves, and isn't planning to do anything different with it in the foreseeable future, so it makes sense for them to put their IP in their cert. Especially as a DNS provider, it's more likely that HTTPS clients would visit their URL by number than for any other site.

Peter Cordes

Posted 2018-04-12T04:05:16.987

Reputation: 3 141

This answers exactly why I was confused. I sent a suggestion to GoDaddy to improve the wording of the article. Hopefully they'll fix it to clarify "(internal server name) or (reserved IP address)" as documented on CAB Forum.

– Deltik – 2018-04-12T23:51:21.553

On that last point, GoDaddy is not going to focus on having the most accurate documentation. Instead, they should aim for relevant and clear documentation: yielding a simple rule that works for most users. – jpaugh – 2018-04-13T06:59:58.777

@jpaugh: oh that's true, they aren't claiming you can't, just that you shouldn't. On re-reading, and thinking about what they're saying, it makes very good sense for them to recommend against it. – Peter Cordes – 2018-04-13T07:33:02.567

Pedantically, Cloudflare does not "own" the 1.1.1.1 address. It is owned by APNIC Labs, who gave Cloudflare permission to operate a DNS resolver there in exchange for Cloudflare's assistance in studying the large volume of garbage packets which are mistakenly addressed to that IP.

– Kevin – 2018-04-13T20:18:39.843

@Kevin: interesting, thanks for the info. Updated my answer. – Peter Cordes – 2018-04-14T21:01:18.677

Pedantically, @Kevin, APNIC doesn't own it either. This article mentions the issue of ownership, and uses the phrase "allocated to". IANA, part of ICANN, allocated the address range to APNIC who allocated such addresses to Cloudflare. IPv4 addresses are simply a fancy way of writing a number from 0-4294967296 (if you ping 16843009 in many operating systems then you'll find you get a response from 1.1.1.1) and the US won't recognize owning a number (hence why the name "Pentium" was made)

– TOOGAM – 2018-04-15T03:05:48.223

@TOOGAM: "allocated the address range to APNIC who allocated such addresses to Cloudflare." - No, they did not. The WHOIS record clearly states that it is allocated to APNIC Labs. – Kevin – 2018-04-15T05:25:23.583

5The Intel thing was a case of trademark, not ownership… – StarWeaver – 2018-04-15T07:27:25.073

@Kevin : From your earlier comment, it seems 1.1.1.1 address was allocated to Cloudflare. Note that I'm not necessarily saying all these are allocations that are visible in public WHOIS data. (It might just be a line of text in a router's configuration.) However that address's allocation(s) may be implemented, my primary point is the non-ownership of IP addresses. – TOOGAM – 2018-04-15T07:29:00.270

@StarWeaver: Agreed that owning (control of?) an IP address on the Internet could easily have different rules than owning a trademark on a number. But trademarks are property you can own (hence the legal term Intellectual Property). Of course you own the trademark (for a given advertizing / branding context) in that case, not the number itself. – Peter Cordes – 2018-04-15T07:33:34.397

1@TOOGAM and Kevin: Thanks for the link to that article about what "ownership" of an IP address might mean in a technical legal sense. I side-stepped the issue by changing my answer to say "control of", because that includes permanent / long-term delegation. Legal ownership is not even the important point here, just an interesting side-topic. – Peter Cordes – 2018-04-15T07:35:20.207

@TOOGAM: I did not say that. Kindly stop putting words in my mouth. – Kevin – 2018-04-15T14:06:13.963

1@Kevin: First, I haven't quoted you at all. I clarify: "From the info in your earlier comment, I conclude that it seems the IPv4 address 1.1.1.1 was allocated to Cloudflare." Nothing specific was even attributed. Nothing ever quoted you at all. HOWEVER, even if I had quoted you (which I didn't), I just reviewed this & still would stand by my statement. I will now start using direct quotes: CloudFire can't use an address unless it gets allocated, so "gave... permission" described an allocation of that address (in the firewall configuration which handles the address range) – TOOGAM – 2018-04-15T15:07:53.940

3@TOOGAM: I mean that, in the whois system, which I specifically linked, 1.1.1.1 is allocated to APNIC Labs. If you're going to pick nits about allocation vs. ownership, don't twist the meaning of "allocated." – Kevin – 2018-04-15T15:09:51.033

102

The GoDaddy documentation is mistaken. It is not true that Certification Authorities (CAs) must revoke certificates for all IP addresses… just reserved IP addresses.

^{_{Source: https://cabforum.org/internal-names/}}

The CA for https://1.1.1.1 was DigiCert, which as of the writing of this answer, does allow buying site certificates for public IP addresses.

DigiCert has an article about this called Internal Server Name SSL Certificate Issuance After 2015:

If you are a server admin using internal names, you need to either reconfigure those servers to use a public name, or switch to a certificate issued by an internal CA before the 2015 cutoff date. All internal connections that require a publicly-trusted certificate must be done through names that are public and verifiable (it does not matter if those services are publicly accessible).

^{_{(emphasis mine)}}

Cloudflare simply got a certificate for their IP address 1.1.1.1 from that trusted CA.

Parsing the certificate for https://1.1.1.1 reveals that the certificate makes use of Subject Alternative Names (SANs) to encompass some IP addresses and ordinary domain names:

deltik@node51 [~]$ openssl s_client -showcerts -connect 1.1.1.1:443 < /dev/null 2>&1 | openssl x509 -noout -text | grep -A1 'Subject Alternative Name:'
            X509v3 Subject Alternative Name: 
                DNS:*.cloudflare-dns.com, IP Address:1.1.1.1, IP Address:1.0.0.1, DNS:cloudflare-dns.com, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001

This information is also in the Google Chrome Certificate Viewer under the "Details" tab:

This certificate is valid for all of the listed domains (including the wildcard *) and IP addresses.

Deltik

Posted 2018-04-12T04:05:16.987

Reputation: 16 807

Your article link does not appear to be working. Best to quote the relevant information. – Ramhound – 2018-04-12T04:53:18.570

11I think it's not mistaken as much as misleading. It should be bracketet as 'must revoke SSL certificates that use intranet (names or IP addresses)' not ''must revoke SSL certificates that use (intranet names) or IP addresses'. – Maciej Piechotka – 2018-04-12T07:46:05.753

3Well, it does say "intranet names or IP addresses". Intranet names, or intranet IP addresses. It's not wrong, it's just the OP only selectively read it. – Lightness Races with Monica – 2018-04-12T10:25:02.663

Looks like the Certificate Subject Alt Name includes the IP address:

Not Critical
DNS Name: *.cloudflare-dns.com
IP Address: 1.1.1.1
IP Address: 1.0.0.1
DNS Name: cloudflare-dns.com
IP Address: 2606:4700:4700::1111
IP Address: 2606:4700:4700::1001

Traditionally I guess you would have only put DNS Names in here, but Cloudflare have put their IP Addresses in as well.

https://1.0.0.1/ is also considered secure by browsers.

Michael Frank

Posted 2018-04-12T04:05:16.987

Reputation: 7 412

1I don't see how this answers the question. Posting the content of a certificate doesn't explain why such a certificate could be delivered. – Dmitry Grigoryev – 2018-04-12T07:20:21.253

18@DmitryGrigoryev: But it does prove that such a certificate was delivered, which was a major point of confusion in the question (the OP couldn't find 1.1.1.1 listed in the cert) – Lightness Races with Monica – 2018-04-12T10:26:04.347

3This answer does indeed answer the author's question. While the author went into more detail with regard to their confusion, this identifies the fact, the certificate in question is indeed valid. Since the author of the question, never provided us what GoDaddy actually said, difficult to answer the question with anythign else. – Ramhound – 2018-04-12T11:58:38.373

@DmitryGrigoryev - If the question is "Why does my browser think that https://1.1.1.1 is secure?" (the title of this page) or "How is it possible that all the major browsers think that https://1.1.1.1 is a trusted HTTPS website?" (the only actual question within the body), then "because 1.1.1.1 is listed as a SAN in the certificate" clearly answers that question.

– Dave Sherohman – 2018-04-15T08:49:01.183

@DmitryGrigoryev "doesn't explain why such a certificate could be delivered" then the question is unclear, as it doesn't even contain the complete certificate information, and is not clearly either a technical question about TLS implementation in browsers or a policy question about CA, but a mix of both – curiousguy – 2018-06-21T05:20:50.490