On Mon, Feb 10, 2014 at 6:12 PM, Mark Nottingham <mnot(_at_)mnot(_dot_)net>
wrote:
Hello,
The TLS certificates presented for example.org, example.net and
example.com are not valid for those respective domains, resulting in a
certificate error when navigated to from browsers. E.g.,
https://example.org/
I'm getting feedback from the outside world that this is causing people
*not* to use these domains as examples (e.g., in books) because it sends a
bad message about security best practices.
Given the IETF's desire to a) promote good security practices, and b)
promote the use of these domains as per RFC2606, could we please get these
served with a valid certificate?
I don't think they know they have SSL on those domains, let alone intended
to deploy.
SSL has a protocol boo-boo in that the original designer didn't realize
IPv4 exhaustion was going to be an issue. So the original SSL protocol did
not include the domain the client is trying to connect to in the handshake
(since fixed).
As a result it is possible to use https to connect to about 80% of the
sites on the net if you will accept a cert for a completely different
domain.
Peter Eckersley at the EFF is currently trying to use this for his 'ssl
everywhere' hack. Which is great for blocking pervasive intercept and no
good against an active attack or to establish accountability.
--
Website: http://hallambaker.com/