On Apr 7, 12:47 am, Kurt Seifried <k...@seifried.org> wrote: > What about "www.paypal.com[NULL].yourcompany.com"? I assume that would > be allowed by the name constraint with respect to fixed software, but > still hit some older software that has the NULL certificate bug.
I think "www.paypal.com[NULL].yourcompany.com" would match the name constraint, but it isn't important, since modern software will not allow that to match a requested hostname of "www.paypal.com". If some people are still using software that is vulnerable, that's their fault; we can't let them tie our hands indefinitely. > I'm > also curious what about "www.paypal.com[lotsof spaces or underscores > or something like that].yourcompany.com"? Spaces are not a problem because Firefox will not parse a URL where the hostname contains a space. Barring spaces, this is the same concern raised in the Problematic Practices for wildcard certificates, except that the name constraints allow multiple labels (i.e., dots): https://wiki.mozilla.org/CA:Problematic_Practices#Wildcard_DV_SSL_certificates Personally I'm not worried about this weak attempt to fool the user. It will be pretty obvious when the Larry button shows "yourcompany.com" (browser.identity.ssl_domain_display = 1) or the whole "www.paypal.com______.yourcompany.com" (2). -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
