On Sun, Apr 23, 2017 at 7:41 AM, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I was thinking of things like the GoDaddy incident reported in January > where they had mistakenly been accepting HTTP 404s to validate a domain or > the 2016 Comodo "re-dressing" attack where a bad guy could arrange for your > contact to get emails from Comodo saying they need to click a button to > prevent an SSL certificate being issued, but actually clicking will cause > it to be issued to the attacker... > > In such cases bad guys can get a wildcard rather than validation just for > one affected name, and that makes their life much easier. >
Are you talking per-certificate? Because the validation method is used for the domain namespace can be applied to the subdomains. > Going further back DigiNotar was made worse by the certificate being > issued for *.google.com, not to say it wasn't bad enough to have bad guys > essentially issuing whatever they wanted from a trusted CA. > Right, that's the high-order bit: Wildcards would not have changed that situation at all. They also did *.*.com, so it's not like that's a strike against wildcards. We have to remember that attacks target the weakest link, and that link isn't wildcards, under any of the present or (unfortunately) proposed validation methods. > Also whenever we see people blaming the issuer for phishing sites > protected by SSL, a wildcard would of course let its subscriber create any > number of phishing sites, without any oversight of the names used prior to > issuance. I happen to think that's fine, but it wouldn't even be a factor > without wildcards. Well, again, that's mistating that there is any oversight today. There isn't - nothing formalized or normalized, it's ad-hoc, CA defined procedures. Considering that CAs are deciding that violating the BRs by doing things like cross-signing unaudited sub-CAs because they determined "there wouldn't be any risk" because of contractual prohibitions, I hope we can see that the argument that CAs are technically capable and cognizant, to the same level, across the industry, is uh... wishful thinking :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy