I don't think wget should be checking correct hostname scope of the
certificate.
I mean, it'd be ok to have some general rule as "noone can use a
certificate for
*.whatever or *." [1] but embedding the Public Suffix List seems overkill.
And the implementation should probably be performed at openssl/gnutls level.
If an attacker was able to get a CA-signed certificate for *.com (even
though
browsers reject that), he is very likely to have also been able to
create a certificate
for the domain you are browsing or directly a sub-CA.
Daniel, how does cURL check correctness of the certificate hostname suffix?
1- And even them, we might end up with a new TLD (eg.
*.apple ) where turns out to be correct.
