Me: Threat-hunting rare DNS lookups in a corporate network. Confluence: https://www.google.com/search?&q=%22atlassian-domain-for-localhost-connections-only.com%22 …pic.twitter.com/pse4VwORiZ
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Interestingly, that host doesn't show up in http://crt.sh , so they didn't do the most convenient common bad thing.
I pulled out the certificates here, they do seem valid at first glance, not sure why they didn't get logged in CT.
https://pastebin.com/F8UD8Ypb
Hm I suppose that's true then of IBM's Aspera plugin client, which uses https://local.connectme.us for the same kind of communication
I just took a look, Umm.. that could be way, way worse. There's a pre-generated CA certificate and a private key, if they add that to the system store, they're effectively disabling SSL. I would consider that *critical*.
Just to make sure I get it correctly. Atlassian had a local server with the same SSL cert for all customers, so anyone could steal it and if MITM respond to DNS and direct traffic to a site with this stolen SSL cert. and this is the "trivial MITM" attack you are referring to
Yep, you can just grab the private key, and nothing is stopping you resolving this domain to something other than localhost. Therefore, no guarantee that you're talking to a trusted local service and not an attacker.
Wait - CA's revoke for this, even if it's known that it is only intended to point to 127.0.0.1? Spotify does this too, unless they've changed it recently, I just figured there was some exemption for domains they promise will always be localhost or something
Yes, because the only reason it points to 127.0.0.1 is because of DNS, which is not a secure protocol. Whoever runs the network you're on can make it point wherever they like, and with the private key, they can imitate the local service. Therefore, cert is considered compromised.
I'm struggling to see what *is* the correct solution here... (except that it clearly isn't this). Any pointers?
There's a good chance it will "just work" these days, localhost is now considered a secure origin, and no additional tricks are required. That being said, localhost rpc endpoints are really hard to get right.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.