[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Overly permissive hostname matching

From: Daniel Kahn Gillmor
Subject: Re: [Bug-wget] Overly permissive hostname matching
Date: Wed, 19 Mar 2014 10:43:31 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0

On 03/19/2014 10:38 AM, Daniel Stenberg wrote:
> On Tue, 18 Mar 2014, Ángel González wrote:
>> Daniel, how does cURL check correctness of the certificate hostname
>> suffix?
> It insists on at least two dots. So yes, "*.apple" will cause problems
> for us too.

There are also errors in the opposite direction: it sounds like curl
will accept a cert for *.co.uk, right?

> I view the public suffix list as one of the worst kludges in networking
> history and while I understand why it is necessary, it is next to
> impossible to actually use sensibly in lots of environments.

I agree that the PSL is a horrible kludge; i'm not sure what other
solutions are possible though, until the DNS gets some way to specify
public registries itself (e.g. the DBOUND discussion going on in the IETF).

In the meantime, we need to figure something out, though :/


Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]