Nelson B Bolyard wrote:
On 2009-07-30 19:46 PDT, Ian G wrote:
On 31/7/09 04:29, Nelson B Bolyard wrote:
... So, a name with a NULL in it will appear
as something like www.mybank.com\00*.badguy.org
There must be something I am missing. Since when is a NULL a legal
character in a domain?
Read the article that Howard cited. It's more fun than my dry explanation.
Some lax CAs will evidently issue certs with just about anything in the
DNS names. I'd pull the plug on them if I could find them, but the
presenters at Black Hat were careful NOT to reveal which CAs made the bad
certs for them. I guess that's why they call it "Black Hat".
All these presenters make the same mistake of blaming SSL for a problem
that is not in the SSL protocol anywhere.
Look in your code for those who issue crappy certs. You have to work
around them. If their cert are defective, what makes anyone think their
internal procedures are any better? I know that there is one vendor who
blames their government's privacy policy for their crappy certs. Enuf said.
Bill
<Thanks, a Million>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
