[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Overly permissive hostname matching
|
From: |
Ángel González |
|
Subject: |
Re: [Bug-wget] Overly permissive hostname matching |
|
Date: |
Tue, 18 Mar 2014 22:18:04 +0100 |
|
User-agent: |
Thunderbird |
I don't think wget should be checking correct hostname scope of the
certificate.
I mean, it'd be ok to have some general rule as "noone can use a
certificate for
*.whatever or *." [1] but embedding the Public Suffix List seems overkill.
And the implementation should probably be performed at openssl/gnutls level.
If an attacker was able to get a CA-signed certificate for *.com (even
though
browsers reject that), he is very likely to have also been able to
create a certificate
for the domain you are browsing or directly a sub-CA.
Daniel, how does cURL check correctness of the certificate hostname suffix?
1- And even them, we might end up with a new TLD (eg.
*.apple ) where turns out to be correct.
Re: [Bug-wget] Overly permissive hostname matching, Tim Rühsen, 2014/03/18