Duane wrote: > Nelson B wrote: > > >>Remember that a cert now contains a LIST of valid domain names. >>So, if the browser were to display names from the list, which name or >>names would it display? > > > Well neither does any warning message nor the certificate subject Alt > Name extension refer to or display the actually list... > > Not Critical > 30 1a 82 0c 2a 2e 63 61 63 65 72 74 2e 6f 72 67 > 82 0a 63 61 63 65 72 74 2e 6f 72 67 > > actually is supposed to be DNS:cacert.org, DNS:*.cacert.org, the only > human readable field is the common name, although as I pointed out in an > earlier post any error messages display the common name, not any of the > subjectAltNames...
Actually I wonder if that could be an attack vector... connect to paypalfraud.com it has an ssl certificate signed by a CA in the root store, but the commonName has "paypal.com". You've connected to "paypalfraud.com" but the certificate was issued for "paypal.com" Possibly a weak example, but I'm sure there is something to it if I put more thought into it... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
