The thing is, extraneous names on a certificate present a subtle security flaw, even if control over those names was validated properly
I agree, if the user is not fully aware of these addition, it can add subtle security flaw such as "virtual host confusion attacks" ( http://antoine.delignat-lavaud.fr/doc/www15.pdf ) or bugs with http2 connection coalescing ( https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/ )
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy