Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Windows 10 has an undocumented certificate pinning feature

Batu69

By Batu69
in Software News

Recommended Posts

Batu69

Batu69

Posted
Posted

After getting to play with Windows 10 for a few hours, something unexpected caught my attention.

 

Hey, there's some new stuff in there - a third, undocumented CTL!
Googling for 'PinRulesEncodedCtl' turned up nothing at all. The first few bytes of the binary data (30 82 .. .. 06 09 2a 86 48) looked familiar though: it was probably ASN.1 encoded data, just like the other two well-documented CTLs. That meant I could probably just feed the blob into my existing tools for quick and painless decoding.

 

Success! We get a nice list of 152 Microsoft-owned domains.

Spoiler 

Subject Identifier: .files-df.1drv.com
Subject Identifier: .files.1drv.com
Subject Identifier: .aadrm.com
Subject Identifier: .afx.ms
Subject Identifier: .akadns.net
Subject Identifier: .aspnetcdn.com
Subject Identifier: .azure-int.net
Subject Identifier: .azure-mobile.net
Subject Identifier: .azure.com
Subject Identifier: .cloudapp.azure.com
Subject Identifier: azure.com
Subject Identifier: .azure.net
Subject Identifier: .cloudapp.azure.net
Subject Identifier: .azureedge.net
Subject Identifier: .azurewebsites.net
Subject Identifier: .bing-exp.com
Subject Identifier: .bing-int.com
Subject Identifier: .bing.com
Subject Identifier: bing.com
Subject Identifier: download.cortana.cn.bing.com
Subject Identifier: .bing.net
Subject Identifier: .ceipmsn.com
Subject Identifier: .cloudapp.net
Subject Identifier: .codeplex.com
Subject Identifier: .discoverbing.com
Subject Identifier: .getmicrosoftkey.com
Subject Identifier: .gfx-int.ms
Subject Identifier: gfx-int.ms
Subject Identifier: .gfx.ms
Subject Identifier: .healthvault-ppe.co.uk
Subject Identifier: .healthvault-ppe.com
Subject Identifier: healthvault-ppe.com
Subject Identifier: .healthvault.co.uk
Subject Identifier: .healthvault.com
Subject Identifier: .hotmail-int.com
Subject Identifier: hotmail.co.uk
Subject Identifier: .hotmail.com
Subject Identifier: hotmail.com
Subject Identifier: iespdytst
Subject Identifier: ieta-wa-24
Subject Identifier: .live-int.com
Subject Identifier: .live-int.net
Subject Identifier: .live-partner.com
Subject Identifier: .live-ppe.net
Subject Identifier: .live.com
Subject Identifier: .live.fi
Subject Identifier: live.fi
Subject Identifier: .live.net
Subject Identifier: .livefilestore-int.com
Subject Identifier: .livefilestore.com
Subject Identifier: .livemeeting.com
Subject Identifier: .lync.com
Subject Identifier: .mesh.com
Subject Identifier: .mgmt.live
Subject Identifier: .microsoft-int.com
Subject Identifier: .microsoft.com
Subject Identifier: .redmond.corp.microsoft.com
Subject Identifier: download.microsoft.com
Subject Identifier: iespdytst.redmond.corp.microsoft.com
Subject Identifier: microsoft.com
Subject Identifier: powerusers-staging.microsoft.com
Subject Identifier: powerusers.microsoft.com
Subject Identifier: telecommand.telemetry.microsoft.com
Subject Identifier: vortex-sandbox.data.microsoft.com
Subject Identifier: watson.telemetry.microsoft.com
Subject Identifier: .microsoft.com.au
Subject Identifier: .microsoft.com.tr
Subject Identifier: .microsoft.fr
Subject Identifier: .microsoftonline-int.com
Subject Identifier: .microsoftonline-p-int.com
Subject Identifier: .microsoftonline-p.com
Subject Identifier: .microsoftonline-p.net
Subject Identifier: .microsoftonline.com
Subject Identifier: .microsoftonline.net
Subject Identifier: .microsoftprime.com
Subject Identifier: .microsoftstore.com
Subject Identifier: za.microsoftstore.com
Subject Identifier: .microsoftstore.com.br
Subject Identifier: .microsoftstore.com.cn
Subject Identifier: .microsoftstore.com.hk
Subject Identifier: .microsofttranslator.com
Subject Identifier: .microsoftvirtualacademy.com
Subject Identifier: .modern.ie
Subject Identifier: modern.ie
Subject Identifier: .msads.net
Subject Identifier: .vo.msecnd.net
Subject Identifier: .msgamestudios.com
Subject Identifier: .msn-int.com
Subject Identifier: .msn.cn
Subject Identifier: .msn.co.jp
Subject Identifier: .msn.com
Subject Identifier: .msn.com.cn
Subject Identifier: .msocdn.com
Subject Identifier: .firstpartyapps.oaspapps.com
Subject Identifier: .office-int.com
Subject Identifier: office-int.com
Subject Identifier: .office-int.net
Subject Identifier: .office.com
Subject Identifier: office.com
Subject Identifier: .office.net
Subject Identifier: .office365.com
Subject Identifier: .officeppe.com
Subject Identifier: .officeppe.net
Subject Identifier: .onedrive.com
Subject Identifier: onedrive.com
Subject Identifier: .onenote.com
Subject Identifier: onenote.com
Subject Identifier: .onenote.net
Subject Identifier: outlook-int.com
Subject Identifier: .outlook.com
Subject Identifier: 003-1-d.outlook.com
Subject Identifier: 003-1-d.prod.outlook.com
Subject Identifier: outlook.com
Subject Identifier: pod71084-pri.outlook.com
Subject Identifier: pod71084.outlook.com
Subject Identifier: .pfx.ms
Subject Identifier: .s-microsoft.com
Subject Identifier: .s-msft.com
Subject Identifier: .s-msn.com
Subject Identifier: .sfx-df.ms
Subject Identifier: .sfx-int.ms
Subject Identifier: .sfx.ms
Subject Identifier: .sharepoint.com
Subject Identifier: .sharepointonline.com
Subject Identifier: .skype.com
Subject Identifier: community-stage.skype.com
Subject Identifier: .skype.net
Subject Identifier: .skypeassets.com
Subject Identifier: .sqlazurelabs.com
Subject Identifier: .surface.com
Subject Identifier: .syncxp.net
Subject Identifier: .trouter.io
Subject Identifier: .virtualearth.net
Subject Identifier: .visualstudio.com
Subject Identifier: visualstudio.com
Subject Identifier: .windows-int.net
Subject Identifier: .windows.com
Subject Identifier: insidersurveys.windows.com
Subject Identifier: www.insidersurveys.windows.com
Subject Identifier: .windows.net
Subject Identifier: .windowsazure.com
Subject Identifier: .windowsmedia.com
Subject Identifier: .windowsphone-int.com
Subject Identifier: .windowsphone-int.net
Subject Identifier: .windowsphone.com
Subject Identifier: .windowsphone.net
Subject Identifier: .windowssearch.com
Subject Identifier: .windowsstore.com
Subject Identifier: .wlxrs.com
Subject Identifier: .xbox.com
Subject Identifier: .xboxlive.com
Subject Identifier: .zune.net

 

Also, the lastsync timestamp (2016-09-24 14:22:44 UTC) shows that this list is being regularly updated.

So this very much looks like evidence of an active system-wide certificate pinning mechanism protecting against MITM attacks on high-value Microsoft domains. Which, per se, is a good thing! Some official documentation would be nice, though.

 

Edit 1 (2016-09-24): This seems to be - at least partially - related to Telemetry, as briefly mentioned at the only page I could find: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization

 

Article source

Link to comment
Share on other sites
  • Views 798
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...