On Thu, May 06, 2004 at 09:11:54PM -0700, Russ Allbery wrote:
I'm very suspicious of any place where TLS is done expecting any
certificate other than the one matching the name that the user typed into
their configuration or program, since it opens an avenue for attack.
How about
www.example.COM CNAME cname.example.ORG.
cname.example.ORG A 10.0.0.1
https://www.example.com/
Will the browser complain or is it happy as long as
cname.example.com
has a valid cert? Didn't find a setup like that for the moment, so I
can't check myself, but maybe someone on this list knows one ...
The same security problems apply as with an attacker being able to inject
a MX record.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"