While it may be true that the certificates in question do not contain SANs, unfortunately, the certificates may still be trusted for SSL since they do not have EKUs.
For an example see "The most dangerous code in the world: validating SSL certificates in non-browser software" which is available at https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html What you will see that hostname verification is one of the most common areas applications have a problem getting right. Often times they silently skip hostname verification, use libraries provide options to disable host name verifications that are either off by default, or turned off for testing and never enabled in production. One of the few checks you can count on being right with any level of predictability in my experience is the server EKU check where absence is interpreted as an entitlement. Ryan Hurst (writing in a personal capacity) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
