On 2/19/09 9:37 AM, Eddy Nigg wrote: > On 02/19/2009 03:30 PM, Jean-Marc Desperrier: >> Moxie Marlinspike in Black Hat has just demonstrated a very serious i18n >> attack using a *.ijjk.cn certificate. >> >> http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf >> >> .cn is authorized for i18n, and the * will match anything, allowing all >> the classic i18n based attacks. >> > This was striking: > > Get a domain-validated SSL wildcard cert for *.ijjk.cn > >> So what the proper immediate/long term solution ? Disable punycode for >> the wildcard part of certificates ? > > Disallow domain validated wild card certificates. Make identity > validation a requirement, same as with code signing. It has been said > over and over again, not just by chance.
Other than this specific attack, what are the concerns about wildcards that would make us take such a drastic action? It sounds to me that we could and should fix this bug simply by disabling punycode for the wildcard portion. --BDS -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
