On 28/11/2017 15:53, Nick Lamb wrote:
On Tue, 28 Nov 2017 04:26:30 +0100
Jakob Bohm via dev-security-policy
<[email protected]> wrote:
Nick Lamb, in the message I replied to, clearly suggested as much, and
provided a contrived scenario to "prove" that point.
That's true, and I apologise if the effect was to de-rail the thread,
but I certainly don't concede that just because the scenario was
contrived it won't happen.
I think like spear phishing we can expect to see sophisticated
criminals targeting organisations through this sort of vulnerability,
so-to-say "casing the joint" before their attack, figuring out exactly
which services exist, what infrastructure is shared or public, looking
for weaknesses. A CA needn't make that job easier.
Your scenario required a number of specific actions and vulnerabilities
at the victim end of things, most notably ordering a wildcard
certificate and (unusually) not wanting it to cover the case of no label
at the wildcard point, but also relying on the absence (after seeing its
presence) of that SAN in setting up the handling of URLs for that
service on the second server, and that server being vulnerable.
One could certainly argue that a CA should allow the subscriber to
explicitly deselect the default bonus SANs if a subscriber really wants
a certificate without that SAN. But including certain traditional
related SAN values at no extra charge and by default is generally a good
thing.
I am referring to the cost to the certificate subscriber, specifically
the cost of paying for two properly validated certificates rather than
two. Nick Lamb's scenario involved someone deliberately ordering both
*.example.com and www.example.com as separate certificates, along with
other circumstances.
The price paid by the subscriber to a traditional commercial CA has
essentially nothing to do with the marginal cost of issuing more
certificates. If it did Let's Encrypt would have bankrupted its sponsor
companies months ago.
The price paid by the subscriber to a commercial CA /is/ the marginal
cost as far as the subscriber is concerned. Thus it motivates
subscribers to purchase fewer certificates if possible. And that's what
I was referring to, not the cost to the CA or how that cost might
motivate the CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
