On Jun 9, 2:55 pm, Michael Ströder <[EMAIL PROTECTED]> wrote: > I really wonder what makes a host name an "unqualified hostname"?
One workable definition is a host name without a dot "." (ignoring any trailing dots). For example: example.com is qualified foo is unqualified com is unqualified foo. is unqualified foo....... is unqualified > No doubt that https://www/looks like a valid example to us humans. But > how about https://com/(top-level domain)? It doesn't really matter what looks like a valid host name to humans. What matters is the policy under which certificates are issued. If a CA is willing to issue certs for "com" or "www" to anyone, then the certificate does not guarantee who you're talking to. (Examining the certificate in the browser is also useless in the presence of <script src="lib.js">, which might use a different cert.) > As I noted in a previous > posting technically you can't tell without actually trying to lookup a > hostname in DNS (without search suffix automagic). It doesn't matter what DNS tells you. In this threat model, DNS is under the control of the attacker. What matters is what the browser can deduce from the CA's signature on the certificate. Adam _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
