During the research on the project
we constantly encounter errors in installing TLS certificates on the websites of government agencies. Either the site gives user agents a chain of certificates in the wrong sequence, then an incomplete chain, forcing them to download intermediate certificates separately, then it shoves the root certificate into it, or exposes “inner tenderness” like a Kubernetes Ingress Controller certificate to the Internet.
Although we lower points in the HTTPS Reliability Index for such manifestations of chronic Culusis Manus, this practically does not affect the reliability of the secure connection itself, and an unjustified increase in the session setup time and ServerHello size remains on the conscience of administrators suffering from the mentioned disease
top lower limbs.
But in the course of the latest study of the websites of state bodies of the Russian Federation, we came across a fantastic case: the Rosreestr website tried to convince the browsers of visitors that the connection to it was secure with a certificate with the serial number 0FA4F320D89D07BBE86F5C81DB829CB8, and they did not believe in any. We did not immediately understand what was the matter, but it was worth access the Certificate Transparency log search service how everything fell into place: the type of this certificate is precertificate.
Precertificate – A provisional certificate that may precede the issuance of a “normal” TLS certificate. Mind-blowing details about what it is, how and why can be gleaned from IETF RFC 9162but in short: this is a way to make sure that information about a “normal” certificate was actually entered into the CT log to which it refers.
Simply put, a provisional certificate is a product of the “inner kitchen” of a certification authority and a CT log holder, and is not intended for use on websites. User agents should consider such a certificate invalid, and the connection to the corresponding site as unsecured, which happens when entering the Rosreestr website.
They didn’t read the RFC in Rosreestr either, they couldn’t master the procedure for ordering a certificate, or maybe they were just in a hurry and stuck the first thing on their site that was at least remotely reminiscent of a “normal” certificate. However, they could not stick another, because, according to the same servicea “normal” certificate based on the mentioned preliminary DigiCert CA was never issued.
Why is unknown; I was not too lazy to contact the CA and all that they could tell me there was: I checked for the domain and we do not have a certificate for that domain (I checked by domain name and we did not issue a certificate for it – translation by the author).
As I see the situation: someone in Rosreetra decided to show off and order an EV-certificate, spent the people’s hard currency on him, and then something went wrong: either his hands grow from an unconventional place, or he was in a hurry to report to his superiors about unprecedented successes in the field infobez… And the authorities ask why the site is not working, and the Treasury is interested in where the budget currency has gone, and it’s already 2022 and DigiCert writes: We have suspended issuing out certificates for Russia due to the ongoing conflict.
They beckoned to the prosecutor’s office, so far there is no reaction from her. It may still be necessary to explain to the prosecutor about RFC, Certificate Transparence and various unusual parts of the body, from where hands can grow in some people.