[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Overly permissive hostname matching

From: Ángel González
Subject: Re: [Bug-wget] Overly permissive hostname matching
Date: Tue, 18 Mar 2014 22:18:04 +0100
User-agent: Thunderbird

I don't think wget should be checking correct hostname scope of the certificate. I mean, it'd be ok to have some general rule as "noone can use a certificate for
*.whatever or *." [1] but embedding the Public Suffix List seems overkill.
And the implementation should probably be performed at openssl/gnutls level.

If an attacker was able to get a CA-signed certificate for *.com (even though browsers reject that), he is very likely to have also been able to create a certificate
for the domain you are browsing or directly a sub-CA.

Daniel, how does cURL check correctness of the certificate hostname suffix?

1- And even them, we might end up with a new TLD (eg.
*.apple ) where turns out to be correct.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]