[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Overly permissive hostname matching
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Bug-wget] Overly permissive hostname matching |
Date: |
Wed, 19 Mar 2014 10:43:31 -0400 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0 |
On 03/19/2014 10:38 AM, Daniel Stenberg wrote:
> On Tue, 18 Mar 2014, Ángel González wrote:
>
>> Daniel, how does cURL check correctness of the certificate hostname
>> suffix?
>
> It insists on at least two dots. So yes, "*.apple" will cause problems
> for us too.
There are also errors in the opposite direction: it sounds like curl
will accept a cert for *.co.uk, right?
> I view the public suffix list as one of the worst kludges in networking
> history and while I understand why it is necessary, it is next to
> impossible to actually use sensibly in lots of environments.
I agree that the PSL is a horrible kludge; i'm not sure what other
solutions are possible though, until the DNS gets some way to specify
public registries itself (e.g. the DBOUND discussion going on in the IETF).
In the meantime, we need to figure something out, though :/
--dkg
signature.asc
Description: OpenPGP digital signature
Re: [Bug-wget] Overly permissive hostname matching, Tim Rühsen, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Kahn Gillmor, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Tim Ruehsen, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Kahn Gillmor, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Stenberg, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19