On 2009-07-30 19:46 PDT, Ian G wrote: > On 31/7/09 04:29, Nelson B Bolyard wrote: >> ... So, a name with a NULL in it will appear >> as something like www.mybank.com\00*.badguy.org > > > There must be something I am missing. Since when is a NULL a legal > character in a domain?
Read the article that Howard cited. It's more fun than my dry explanation. Some lax CAs will evidently issue certs with just about anything in the DNS names. I'd pull the plug on them if I could find them, but the presenters at Black Hat were careful NOT to reveal which CAs made the bad certs for them. I guess that's why they call it "Black Hat". All these presenters make the same mistake of blaming SSL for a problem that is not in the SSL protocol anywhere. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto