On 11/04/2009 11:32 PM, Collin Jackson:
I've found several certificate authorities that issue certificates for
internal domains, including Comodo, VeriSign, and completessl.com.
Adam Barth and I filed a bug on this issue in 2007. These
certificates are easy to acquire, but I don't see how they're less
secure than HTTP, so we've been advocating that browsers show
a broken lock:
https://bugzilla.mozilla.org/show_bug.cgi?id=401317
Hi Collin,
The point with this certificate is, that this is a real, valid TLD.
Second, the problematic practices already has this listed:
https://wiki.mozilla.org/CA:Problematic_Practices#Certificates_referencing_hostnames_or_private_IP_addresses
This item has been also taken to the CAB Forum and is discussed and
hopefully included with the Basic SSL Guidelines which are in the
making. Host-names and internal IP addresses provide *NO PROTECTION*
whatsoever and is pure snake oil. CAs which issue such certificates
deceive their customers and relying parties.
In this particular issue, the above doesn't apply since this was issued
to a non-existing domain name of a real TLD.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
