[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Overly permissive hostname matching

From: Ángel González
Subject: Re: [Bug-wget] Overly permissive hostname matching
Date: Fri, 21 Mar 2014 21:31:51 +0100
User-agent: Thunderbird

On 18/03/14 16:00, Jeffrey Walton wrote:
What if a certificate is issued by a trusted CA that *does*
match part of the public suffix list (perhaps because the
CA has determined tha tthe application has rightful
control over the entire zone)?
In practice we know four things. First, no one authority controls the
entire domain space in a gTLD. So its really a non-sequitur. We might
inadvertently see it in cases like Diginotar, but that's a negative
case and not a typical use case. However, we should expect these
corner cases on occasion.

Second, anyone claiming such is probably trying to subvert the secure
channel. (...)

I realised that there is a problem with private registries if trying to apply the
PSL to certificates.

There are two kinds of private registries in the PSL: those full-delegation
registries (you have whole control of the domain) and content-delegation
ones. In the later case, they are public suffixes since users can place are
as arbitrary content, but the servers are under control of a single org, and
thus they can (and do) use a wildcard certificate for their domain.
See for instance blogspot.com

It is easy to exclude the private registries but there's no difference between
them. I think we should request mozilla to split that section in two.


As a different comment, I discovered that although wildcards are not restricted
in the PSL description, they will in practise appear only at the beginning
and in fact, Mozilla implementation only supports that. This simplifies the

reply via email to

[Prev in Thread] Current Thread [Next in Thread]