[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] Overly permissive hostname matching
From: |
Jeffrey Walton |
Subject: |
[Bug-wget] Overly permissive hostname matching |
Date: |
Tue, 18 Mar 2014 01:43:03 -0400 |
I believe wget has a security flaw in its certificate hostname matching code.
In the attached server certificate, the hostname is provided via a
Subject Alt Name (SAN). The only SAN entry is a DNS name for "*.com".
Also attached is the default CA, which was used to sign the server's
certificate.
Effectively, wget accepts a single certificate for the gTLD of .COM.
That's probably bad. If a CA is compromised, then the compromised CA
could issue a "super certificate" and cover the entire top level
domain space.
I suspect wget also accepts certificates for .COM's friends, like
.NET, .ORG, .MIL, etc.
Its probably not limited to gTLDs. Mozilla maintains a list of
effective TLDs at https://wiki.mozilla.org/Public_Suffix_List. The
1600+ effective TLDs are probably accepted, too.
Attached are the certificates, keys, and commands to set up a test rig
with OpenSSL's s_server. The certificates are issued for example.com,
and require a modification to /etc/hosts to make things work as
(un)expected.
Jeffrey Walton
Baltimore, MD, US
hostname-verification.tar.gz
Description: GNU Zip compressed data
Re: [Bug-wget] Overly permissive hostname matching, Tim Rühsen, 2014/03/18