Wildcard Certs
I just ran across http://certs.centurywebdesign.co.uk/premiumssl-wildcard.html but there are many more sites like that: Secure multiple websites with a single PremiumSSL Certificate. For organisations hosting a single domain name but with different subdomains (e.g. secure.centurywebdesign.co.uk, www.centurywebdesign.co.uk, signup.centurywebdesign.co.uk), the wildcard Certificate is a cost effective and efficient means of securing all subdomains without the need to manage multiple certificates. All the features, compatibility and warranty of PremiumSSL included. This strikes me as notoriously bad, although it is in accordance with the RFC. I still don't want to accept the usefulness and inherent security, so I'd like to get some expert opinions on this. Are wildcard certficates good? secure? useful? Would you employ them? If not, how would you solve the problem they are trying to address (if you don't have your own CA)? Thanks! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html get my key here: http://madduck.net/me/gpg/publickey a scientist once wrote that all truth passes through three stages: first it is ridiculed, then violently opposed and eventually, accepted as self-evident. -- schopenhauer pgp0.pgp Description: PGP signature
Re: Session Fixation Vulnerability in Web Based Apps
On Mon, Jun 16, 2003 at 10:47:04AM +0100, [EMAIL PROTECTED] wrote: session id). Authentication of subesequent pages is assumed only if the client's IP address matches the IP address stored in the session variable corresponding to the client's session. Is this secure? If not, why not? It's not a question of whether it's secure or not, in any kind of environment with distributed proxies, it just plain won't work. A more useful fix is to not allow arbitrary sessionids to be created, and generate the state on login, and destroy it on logout. There may be a condition I've missed with this, but I'm not sure. MBM -- Matthew Byng-Maddick [EMAIL PROTECTED] http://colondot.net/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Sessions
This has got nothing whatsoever to do with session fixation. It _has_ however, got something to do with security. In particular, with authentication. [Moderator's note: Actually, it seems to have everything to do with session fixation. --Perry] I may be ignorant about a few things but I'm learning fast, and I still think the following question is worth my asking (and someone answering) because I'm actually thinking of using this idea on a real web site. At the very least, it seems to me that it ought to be more secure than NOT tracking the IP. I've come up with a (very simple) defence against session hijacking and so on. It's probably flawed (I admit I'm not an expert on these things), so if someone could please tell me why it won't work, I'd be very grateful. When the user logs in, the server stores the client's IP address in a session variable (so it's stored at the server end - the client just gets a session id). Authentication of subesequent pages is assumed only if the client's IP address matches the IP address stored in the session variable corresponding to the client's session. Is this secure? If not, why not? Jill [Moderator's Note: you might want to read the original paper again. It I didn't receive the rest of this moderator's note so I don't know what it was going to say. My apologies for not having changed the subject line from RE: Session Fixation Vulnerability in Web Based Apps, and for not making it clear that this is a different and unrelated thread. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Wildcard Certs
Martin, Are wildcard certficates good? secure? useful? There's a problem with wildcard certs wrt how URLs are being displayed in many of the browsers, esp. the older ones. If the host name is extremely long the browser will be unable to show the complete URL to the user, with some browsers even inserting ... into the address window. Now, suppose I buy a certificate for *.i-am-bad.com (assuming that I'm the owner of that domain). I could then set up an SSL server with a hostname of something like www.security-products.microsoft.com.order.registration.checkout.user- support.i-am-bad.com hoping that the browser will only display the more familiar looking parts of the URL to the user who in turn will happily accept the certificate. You get the idea. Cheers, Stefan. Security Awareness Symposium - 24.-25.06.2003, Karlsruhe http://www.security-awareness-symposium.de/ Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail [EMAIL PROTECTED], http://www.secorvo.de/ --- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Wildcard Certs
also sprach Stefan Kelm [EMAIL PROTECTED] [2003.06.16.1652 +0200]: Now, suppose I buy a certificate for *.i-am-bad.com (assuming that I'm the owner of that domain). I could then set up an SSL server with a hostname of something like www.security-products.microsoft.com.order.registration.checkout.user- support.i-am-bad.com hoping that the browser will only display the more familiar looking parts of the URL to the user who in turn will happily accept the certificate. I could also just buy a certificate with that name. While it is an interesting point, I do not see how wildcard certificates make this possible, or enhance it. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] keyserver problems? http://keyserver.kjsl.com/~jharris/keyserver.html get my key here: http://madduck.net/me/gpg/publickey before he died, rabbi zusya said: in the world to come they will not ask me, 'why were you not moses?' they will ask me, 'why were you not zusya?' pgp0.pgp Description: PGP signature
