Nelson Bolyard wrote:
[...]
Wildcards are not an essential part of this attack. They merely were a
convenience for this demonstration, but the attack could have been done
without using a wildcard cert. Even eliminating wildcard certs altogether
would not stop this attack.
> This being said : Is there already a bug open for this ? The only thing
> that stops me opening it myself is that it might already exist but be
> security restricted.
Yes, there is, and yes, it is.
So why is it still security restricted when the problem is out in the
open ?
Yes, the way of exploiting the failure without a wildcard cert is
apparently not yet out in the open. But :
- it's either a matter of days or hours
- CA are still issuing wildcard certificates, so attackers don't need to
know a wildcard is not really required to exploit the failure
- I don't expect there will be any effort to try to stop CA from issuing
dangerous wildcard certificates, since it won't solve the problem at large.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security