[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Overly permissive hostname matching
From: |
Ángel González |
Subject: |
Re: [Bug-wget] Overly permissive hostname matching |
Date: |
Fri, 21 Mar 2014 21:31:51 +0100 |
User-agent: |
Thunderbird |
On 18/03/14 16:00, Jeffrey Walton wrote:
What if a certificate is issued by a trusted CA that *does*
match part of the public suffix list (perhaps because the
CA has determined tha tthe application has rightful
control over the entire zone)?
In practice we know four things. First, no one authority controls the
entire domain space in a gTLD. So its really a non-sequitur. We might
inadvertently see it in cases like Diginotar, but that's a negative
case and not a typical use case. However, we should expect these
corner cases on occasion.
Second, anyone claiming such is probably trying to subvert the secure
channel. (...)
I realised that there is a problem with private registries if trying to
apply the
PSL to certificates.
There are two kinds of private registries in the PSL: those full-delegation
registries (you have whole control of the domain) and content-delegation
ones. In the later case, they are public suffixes since users can place are
as arbitrary content, but the servers are under control of a single org,
and
thus they can (and do) use a wildcard certificate for their domain.
See for instance blogspot.com
It is easy to exclude the private registries but there's no difference
between
them. I think we should request mozilla to split that section in two.
*********
As a different comment, I discovered that although wildcards are not
restricted
in the PSL description, they will in practise appear only at the beginning
and in fact, Mozilla implementation only supports that. This simplifies the
matching.
Re: [Bug-wget] Overly permissive hostname matching, Tim Rühsen, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Kahn Gillmor, 2014/03/18
- Re: [Bug-wget] Overly permissive hostname matching, Tim Ruehsen, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Kahn Gillmor, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Daniel Stenberg, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19
- Re: [Bug-wget] Overly permissive hostname matching, Jeffrey Walton, 2014/03/19