Batu69 Posted September 26, 2016 Share Posted September 26, 2016 After getting to play with Windows 10 for a few hours, something unexpected caught my attention. Hey, there's some new stuff in there - a third, undocumented CTL! Googling for 'PinRulesEncodedCtl' turned up nothing at all. The first few bytes of the binary data (30 82 .. .. 06 09 2a 86 48) looked familiar though: it was probably ASN.1 encoded data, just like the other two well-documented CTLs. That meant I could probably just feed the blob into my existing tools for quick and painless decoding. Success! We get a nice list of 152 Microsoft-owned domains. Spoiler Subject Identifier: .files-df.1drv.com Subject Identifier: .files.1drv.com Subject Identifier: .aadrm.com Subject Identifier: .afx.ms Subject Identifier: .akadns.net Subject Identifier: .aspnetcdn.com Subject Identifier: .azure-int.net Subject Identifier: .azure-mobile.net Subject Identifier: .azure.com Subject Identifier: .cloudapp.azure.com Subject Identifier: azure.com Subject Identifier: .azure.net Subject Identifier: .cloudapp.azure.net Subject Identifier: .azureedge.net Subject Identifier: .azurewebsites.net Subject Identifier: .bing-exp.com Subject Identifier: .bing-int.com Subject Identifier: .bing.com Subject Identifier: bing.com Subject Identifier: download.cortana.cn.bing.com Subject Identifier: .bing.net Subject Identifier: .ceipmsn.com Subject Identifier: .cloudapp.net Subject Identifier: .codeplex.com Subject Identifier: .discoverbing.com Subject Identifier: .getmicrosoftkey.com Subject Identifier: .gfx-int.ms Subject Identifier: gfx-int.ms Subject Identifier: .gfx.ms Subject Identifier: .healthvault-ppe.co.uk Subject Identifier: .healthvault-ppe.com Subject Identifier: healthvault-ppe.com Subject Identifier: .healthvault.co.uk Subject Identifier: .healthvault.com Subject Identifier: .hotmail-int.com Subject Identifier: hotmail.co.uk Subject Identifier: .hotmail.com Subject Identifier: hotmail.com Subject Identifier: iespdytst Subject Identifier: ieta-wa-24 Subject Identifier: .live-int.com Subject Identifier: .live-int.net Subject Identifier: .live-partner.com Subject Identifier: .live-ppe.net Subject Identifier: .live.com Subject Identifier: .live.fi Subject Identifier: live.fi Subject Identifier: .live.net Subject Identifier: .livefilestore-int.com Subject Identifier: .livefilestore.com Subject Identifier: .livemeeting.com Subject Identifier: .lync.com Subject Identifier: .mesh.com Subject Identifier: .mgmt.live Subject Identifier: .microsoft-int.com Subject Identifier: .microsoft.com Subject Identifier: .redmond.corp.microsoft.com Subject Identifier: download.microsoft.com Subject Identifier: iespdytst.redmond.corp.microsoft.com Subject Identifier: microsoft.com Subject Identifier: powerusers-staging.microsoft.com Subject Identifier: powerusers.microsoft.com Subject Identifier: telecommand.telemetry.microsoft.com Subject Identifier: vortex-sandbox.data.microsoft.com Subject Identifier: watson.telemetry.microsoft.com Subject Identifier: .microsoft.com.au Subject Identifier: .microsoft.com.tr Subject Identifier: .microsoft.fr Subject Identifier: .microsoftonline-int.com Subject Identifier: .microsoftonline-p-int.com Subject Identifier: .microsoftonline-p.com Subject Identifier: .microsoftonline-p.net Subject Identifier: .microsoftonline.com Subject Identifier: .microsoftonline.net Subject Identifier: .microsoftprime.com Subject Identifier: .microsoftstore.com Subject Identifier: za.microsoftstore.com Subject Identifier: .microsoftstore.com.br Subject Identifier: .microsoftstore.com.cn Subject Identifier: .microsoftstore.com.hk Subject Identifier: .microsofttranslator.com Subject Identifier: .microsoftvirtualacademy.com Subject Identifier: .modern.ie Subject Identifier: modern.ie Subject Identifier: .msads.net Subject Identifier: .vo.msecnd.net Subject Identifier: .msgamestudios.com Subject Identifier: .msn-int.com Subject Identifier: .msn.cn Subject Identifier: .msn.co.jp Subject Identifier: .msn.com Subject Identifier: .msn.com.cn Subject Identifier: .msocdn.com Subject Identifier: .firstpartyapps.oaspapps.com Subject Identifier: .office-int.com Subject Identifier: office-int.com Subject Identifier: .office-int.net Subject Identifier: .office.com Subject Identifier: office.com Subject Identifier: .office.net Subject Identifier: .office365.com Subject Identifier: .officeppe.com Subject Identifier: .officeppe.net Subject Identifier: .onedrive.com Subject Identifier: onedrive.com Subject Identifier: .onenote.com Subject Identifier: onenote.com Subject Identifier: .onenote.net Subject Identifier: outlook-int.com Subject Identifier: .outlook.com Subject Identifier: 003-1-d.outlook.com Subject Identifier: 003-1-d.prod.outlook.com Subject Identifier: outlook.com Subject Identifier: pod71084-pri.outlook.com Subject Identifier: pod71084.outlook.com Subject Identifier: .pfx.ms Subject Identifier: .s-microsoft.com Subject Identifier: .s-msft.com Subject Identifier: .s-msn.com Subject Identifier: .sfx-df.ms Subject Identifier: .sfx-int.ms Subject Identifier: .sfx.ms Subject Identifier: .sharepoint.com Subject Identifier: .sharepointonline.com Subject Identifier: .skype.com Subject Identifier: community-stage.skype.com Subject Identifier: .skype.net Subject Identifier: .skypeassets.com Subject Identifier: .sqlazurelabs.com Subject Identifier: .surface.com Subject Identifier: .syncxp.net Subject Identifier: .trouter.io Subject Identifier: .virtualearth.net Subject Identifier: .visualstudio.com Subject Identifier: visualstudio.com Subject Identifier: .windows-int.net Subject Identifier: .windows.com Subject Identifier: insidersurveys.windows.com Subject Identifier: www.insidersurveys.windows.com Subject Identifier: .windows.net Subject Identifier: .windowsazure.com Subject Identifier: .windowsmedia.com Subject Identifier: .windowsphone-int.com Subject Identifier: .windowsphone-int.net Subject Identifier: .windowsphone.com Subject Identifier: .windowsphone.net Subject Identifier: .windowssearch.com Subject Identifier: .windowsstore.com Subject Identifier: .wlxrs.com Subject Identifier: .xbox.com Subject Identifier: .xboxlive.com Subject Identifier: .zune.net Also, the lastsync timestamp (2016-09-24 14:22:44 UTC) shows that this list is being regularly updated. So this very much looks like evidence of an active system-wide certificate pinning mechanism protecting against MITM attacks on high-value Microsoft domains. Which, per se, is a good thing! Some official documentation would be nice, though. Edit 1 (2016-09-24): This seems to be - at least partially - related to Telemetry, as briefly mentioned at the only page I could find: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization Article source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.