Can a wildcard SSL certificate be issued for a second level domain?
Yes, it can be issued.
Luckily the common browsers do not accept wildcard certificates for TLDs.
Chromium Source Code:
// Do not allow wildcards for public/ICANN registry controlled domains -
// that is, prevent *.com or *.co.uk as valid presented names, but do not
// prevent *.appspot.com (a private registry controlled domain).
// In addition, unknown top-level domains (such as 'intranet' domains or
// new TLDs/gTLDs not yet added to the registry controlled domain dataset)
// are also implicitly prevented.
// Because |reference_domain| must contain at least one name component that
// is not registry controlled, this ensures that all reference domains
// contain at least three domain components when using wildcards.
size_t registry_length =
registry_controlled_domains::GetCanonicalHostRegistryLength(
reference_name,
registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
// ... [SNIP]
// Account for the leading dot in |reference_domain|.
bool is_registry_controlled =
registry_length != 0 &&
registry_length == (reference_domain.size() - 1);
// Additionally, do not attempt wildcard matching for purely numeric
// hostnames.
allow_wildcards =
!is_registry_controlled &&
reference_name.find_first_not_of("0123456789.") != std::string::npos;
}
The complete list of domains that Google disallows is in net/base/registry_controlled_domains/effective_tld_names.dat
Other browsers also do this, including IE and Firefox.
In the list of fake certificates issued by DigiNotar, there is "*.*.com". This is obviously an attempt to get around the restriction.
For the issuing part, everything can be put in a certificate. That a name is "wildcard" has no special significance for the CA. The CA puts a string as dNSName in a Subject Alt Name extension, and that's it. Whether this string contains "*" characters or not will not impact the CA behaviour.
What matters is what SSL clients will accept as a "valid certificate", i.e. a certificate including a name which "matches" the intended server name (the one included in the URL). This is nominally specified in RFC 2818, section 3.1, and it allows many kinds of wildcard names, including things like "www.*.*c*", matching (theoretically) any server name containing three components, the first being "www" and the third containing at least one "c". Web browser vendors soon considered that this specification:
- allowed for really broad wildcard names;
- was relatively complex to implement properly;
- was unlikely to be implemented properly by both other browser vendors, and by CA (though the CA is not impacted by the name contents, it is still responsible for the contents of the certificate, and browser vendors correctly guessed that there would be CA who would unwillingly issue overly broad wildcard certificates);
- was an "informational" RFC anyway, not a "proposed standard", so lawyer-inclined minds could argue that it could be ignored.
So browser vendors made their own schemes and restrictions. Much later, a new RFC (6125, from March 2011) was published, with section 6.4.3 dedicated to the processing of wildcard names in certificates. What RFC 6125 describes is more in tune with the reality, and is a "proposed standard", so there is at least some will, at some level, to make it happen. However, nothing in RFC 6125 mandates rejection of *.com; yet browsers do reject it.
I have tested this on common browsers, the three big ones (on windows anyways) don't accept this. What I haven't done is try it on the mobile platforms which imo are the real target of this attack. Since iOS doesn't have a way to revoke certificates there are millions of i-devices out there that are vulnerable until apple releases a patch, and they apply it.
Obvious places to try this with high impact: Activesync to exchange, ssl vpn clients, safari on idevices, stock browser on androids.