On Thursday, 23 February 2017 01:11:54 UTC, Richard Wang wrote: > https://crt.sh/?id=65208905 for google.ligboy.org
Without wanting to jump on this pre-existing dogpile: This specific example is illustrative of two important factors that should be considered in examining the threat here: 1. Neither registries nor registrars in the DNS system would ordinarily have control over the existence of sub-domains. In some cases the whole _purpose_ of the registration is to create such sub-domains without further administration, it would be untenable to run e.g. blogspot.co.uk with oversight from Nominet on every sub-domain for example. So nobody is in a position to ensure that when uninteresting.example is registered its new owners will never create an FQDN microsoft-tech-support.uninteresting.example 2. Wildcard DV certificates can't forbid such misleading labels because they deliberately cover all possible labels in that suffix. So the legitimate owner of uninteresting.example can apply for and receive a Wildcard DV certificate *.uninteresting.example and _only then_ create microsoft-tech-support.uninteresting.example for which the wildcard provides a perfectly good working SSL certificate. Basically, "fixing" this through CA policy will either require a pretty big change in how DV is done across the industry or giving up on DV altogether. I don't believe either of those is likely. By the way, the corporate enthusiasm for out-sourcing key internal services means you will see more and more FQDNs like fortune500corp.tiny-startup.example because the Fortunate 500 company is _paying_ the tiny startup to operate such a site for their people out on the public Internet. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy