> On Oct 23, 2014, at 4:51 PM, Ryan Sleevi <ryan-mozdevsecpol...@sleevi.com> > wrote: > > On Thu, October 23, 2014 1:08 pm, John Nagle wrote: >> Examine the cert of "https://www.sevendays.co". >> >> Here's one of those certs with a huge number of unrelated hosts. >> This seems to be a Cloudflare legacy setup from the pre-TLS era. >> Unfortunately, this cert became valid on 10/09/2014. It's >> not a legacy cert. > > So? It's perfectly valid and conforming with all of the policies set out > by Mozilla and the CA/Browser Forum.
And I suspect it is related to this: http://blog.cloudflare.com/introducing-universal-ssl/ >> Should certs like this be rejected as misrepresenting the identity of >> the organization? Junk certs like this let any domain in the cert >> impersonate any other domain, so they are a form of "wildcard" cert. >> Now that all major browsers have TLS, they are unnecessary and can >> be phased out, correct? > > So what? > > 1) It's not misrepresenting the organization. BR certs do not, have not, > and have never been a means of asserting the organization. Thinking that > TLS certs do that is a fabrication that some CAs promulgate, but has > nothing to do with the purpose of TLS certificates (which assert a binding > between a *domain* and a key) > > 2) Calling them junk certs implies you think there's something wrong with > them, but you'd need to spell that out. Nothing is wrong with them by any > of the root store policies. > > 3) Wildcard certs are both valid and useful. They are expressly permitted > in the BRs. And notably, multi-SAN certs are not wild-card certs; they are far more limited. A wildcard can be used for an indefinite number of names, none of which are individually validated. A multi-SAN cert has a prescribed list of domains, each of which must be individually validated according to the BRs. --Richard >> >> Firefox displays "You are connected to sevendays.co. Verified >> by GlobalSign NV-SA" for this site. That misrepresents what the >> cert really told Firefox. > > No it doesn't. You connected to the IP address returned by dns for > sevendays.co, and received a cert certified by GlobalSign NV-SA that > asserts that an entity with operational control over sevendays.co has > control over a private key presented in the certificate and the TLS chain. > > This is all truthful and accurate information. > >> The message should read "You are >> connected to one of the following sites, and give the list. >> Or perhaps "You are connected to ssl2910.cloudflare.com" which >> appears to be authorized to host sevendays.co". That would >> assist in accelerating the phaseout of these old certs. > > Accelerating the phaseout of these certs is a non-goal with no positive > security value. > >> >> There's a real risk here. A break-in at any of those sites >> allows impersonating all of them. This creates a huge >> attack surface. > > This doesn't change at all if they're using separate certs, if the certs > are still hosted by the same company on the same machine. > > I'm sorry, but I believe you've been confused as to what the purpose is, > but there's nothing wrong with these certs. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy