Would this be considered a low risk vulnerability?
Sì.
If an attacker can force the use of an IP address, then surely the
certificate is no longer of any value at this point (unless installed
on a client machine)?
Non sono abbastanza sicuro di capire la domanda. Anche se un indirizzo IP viene forzato da un utente malintenzionato e l'indirizzo IP non è definito come SAN, il traffico verrà comunque crittografato.
Tuttavia, tieni presente che RFC 6125 consiglia di utilizzare rigorosamente un indirizzo IP come nome definito:
Some certification authorities issue server certificates based on
IP addresses, but preliminary evidence indicates that such
certificates are a very small percentage (less than 1%) of issued
certificates. Furthermore, IP addresses are not necessarily
reliable identifiers for application services because of the
existence of private internets [PRIVATE], host mobility, multiple
interfaces on a given host, Network Address Translators (NATs)
resulting in different addresses for a host from different
locations on the network, the practice of grouping many hosts
together behind a single IP address, etc. Most fundamentally,
most users find DNS domain names much easier to work with than IP
addresses, which is why the domain name system was designed in the
first place. We prefer to define best practices for the much more
common use case and not to complicate the rules in this
specification.
UPDATE:
Sembra che Symantec, insieme a diverse altre CA non emetteranno più certificati privi di un FQDN valido.
For this reason, the leading Certification Authorities, including Symantec, that make up the Certification Authority/Browser Forum (CA/B Forum) have decided to cease issuing certificates without a Fully Qualified Domain Name (FQDN).
Fai riferimento a: link