On 02/20/2009 05:55 PM, Jean-Marc Desperrier:
Get a domain-validated SSL wildcard cert for *.ijjk.cn
Yes, it's surprising how some of such attacks seem obvious *after* they
have been done, but it takes so long to realize it can be done.
Not exactly. I found it striking because we've been discussing it (look
for Comodo inclusion request of approximately April last year), however
my concerns were not addressed really (besides adding it to the
problematic practices which had no effect on the CA in question anyway).
The md5 collision between a normal and a *CA* certificate was similar
for me, "how the fuck did we not think earlier, when it was already
obvious someone would soon create a collision between two real md5
certs, that they just had to do that to make the attack really effective".
Right, even though I still consider it to be an effort usually not done
by the cheap phishers.
This being said : Is there already a bug open for this ? The only thing
that stops me opening it myself is that it might already exist but be
security restricted.
For which one, MD5 or DV wild cards? For MD5 there is a bug, for DV wild
cards not.
PS : I think this discussion should be on mozilla.dev.security since
it's about a security vulnerability, not crypto and not security.policy.
Does everyone share my opinion ? (I'm setting the follow-up there)
Incidentally it should be held on the new mailing list we've got
security+policy issues (mozilla.dev.security.policy), not on security I
think.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
