[13649] in cryptography@c2.net mail archive
Re: Wildcard Certs
daemon@ATHENA.MIT.EDU (Stefan Kelm)
Mon Jun 16 11:09:17 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Stefan Kelm" <kelm@secorvo.de>
To: martin f krafft <madduck@madduck.net>,
crypto list <cryptography@metzdowd.com>
Date: Mon, 16 Jun 2003 16:52:25 +0200
Reply-To: kelm@secorvo.de
In-reply-to: <20030616075737.GA18032@diamond.madduck.net>
Martin,
> Are wildcard certficates good? secure? useful?
There's a problem with wildcard certs wrt how URLs are being displayed in
many of the browsers, esp. the older ones. If the host name is extremely
long the browser will be unable to show the complete URL to the user,
with some browsers even inserting "..." into the address window.
Now, suppose I buy a certificate for *.i-am-bad.com (assuming that I'm
the owner of that domain). I could then set up an SSL server with a
hostname of something like
www.security-products.microsoft.com.order.registration.checkout.user-
support.i-am-bad.com
hoping that the browser will only display the more familiar looking parts
of the URL to the user who in turn will happily accept the certificate.
You get the idea.
Cheers,
Stefan.
--------------------------------------------------------
Security Awareness Symposium - 24.-25.06.2003, Karlsruhe
http://www.security-awareness-symposium.de/
--------------------------------------------------------
Dipl.-Inform. Stefan Kelm
Security Consultant
Secorvo Security Consulting GmbH
Albert-Nestler-Strasse 9, D-76131 Karlsruhe
Tel. +49 721 6105-461, Fax +49 721 6105-455
E-Mail kelm@secorvo.de, http://www.secorvo.de/
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
