On Mon, 25 Feb 2013 19:07:20 -0600, Jimmy Hess said: > If the domain in a certificate were not interpreted as a FQDN by the > client, this would mean, that the certificate for > CN=bigbank.example.com > might be used to authenticate a connection to https://bigbank.example.com > which do the local resolver search order, is in fact a DNS lookup of > bigbank.example.com.intranet.example.com > > Which might be captured by a Wildcard A record for *.com found in > the intranet.example.com. zone and pointed to a server > containing a phishing attack against bigbank.example.com; with a > DNS cache poisoned by a false negative cache NXDOMAIN entry for > bigbank.example.com.
I am *sooo* tempted to say "I recommend my competitors do DNS lookups this way" :)
pgpSfHv8CeX0W.pgp
Description: PGP signature