Wildcard Certs

2003-06-16 Thread martin f krafft
I just ran across http://certs.centurywebdesign.co.uk/premiumssl-wildcard.html but there are many more sites like that: Secure multiple websites with a single PremiumSSL Certificate. For organisations hosting a single domain name but with different subdomains (e.g.

Re: Session Fixation Vulnerability in Web Based Apps

2003-06-16 Thread Matthew Byng-Maddick
On Mon, Jun 16, 2003 at 10:47:04AM +0100, [EMAIL PROTECTED] wrote: session id). Authentication of subesequent pages is assumed only if the client's IP address matches the IP address stored in the session variable corresponding to the client's session. Is this secure? If not, why not? It's not


2003-06-16 Thread Jill . Ramonsky
This has got nothing whatsoever to do with session fixation. It _has_ however, got something to do with security. In particular, with authentication. [Moderator's note: Actually, it seems to have everything to do with session fixation. --Perry] I may be ignorant about a few things but I'm

Re: Wildcard Certs

2003-06-16 Thread Stefan Kelm
Martin, Are wildcard certficates good? secure? useful? There's a problem with wildcard certs wrt how URLs are being displayed in many of the browsers, esp. the older ones. If the host name is extremely long the browser will be unable to show the complete URL to the user, with some browsers

Re: Wildcard Certs

2003-06-16 Thread martin f krafft
also sprach Stefan Kelm [EMAIL PROTECTED] [2003.06.16.1652 +0200]: Now, suppose I buy a certificate for *.i-am-bad.com (assuming that I'm the owner of that domain). I could then set up an SSL server with a hostname of something like