[Top] [All Lists]

Re: SMTP/TLS: Authentication of an SMTP server's identity

2004-05-07 10:50:14

On Thu, May 06, 2004 at 09:11:54PM -0700, Russ Allbery wrote:
I'm very suspicious of any place where TLS is done expecting any
certificate other than the one matching the name that the user typed into
their configuration or program, since it opens an avenue for attack.

How about
    www.example.COM     CNAME   cname.example.ORG.
    cname.example.ORG   A

Will the browser complain or is it happy as long as
has a valid cert? Didn't find a setup like that for the moment, so I
can't check myself, but maybe someone on this list knows one ...

The same security problems apply as with an attacker being able to inject
a MX record.


SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"