Hi Patrick, >> can you please elaborate on where you see a security drawback >> in the attack scenario you mentioned when using wildcard >> certs over non-wildcard certs? Principle of leat privilege dictates that only a single server (or possibly related servers) be "authenticated". However, a wild card will match all hosts(some hand waiving here) - even if the host was put in place by a bad guy. I'm aware of a couple of tools that will flag it. Exchange's Security Analyzer is one of them.
A related attack from Black Hat: http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf. If you're wondering why VeriSign, Comodo, and gang sell them, that's easy - money. Jeff On Mon, Jun 7, 2010 at 5:37 AM, Eisenacher, Patrick <[email protected]> wrote: >> -----Original Message----- >> From: Eisenacher, Patrick >> >> Hi Jeff, >> >> > -----Original Message----- >> > From: Jeffrey Walton >> > >> > Hi Vieri, >> > >> > >> How does one issue a cert for multiple CN? >> > >> Suppose I have just one HTTP server but it can be accessed >> > >> via multiple FQDN... I suppose I need to use subjectAltName? >> > > >> > > Subject alternative name is one possibility. If you need >> a cert for >> > > several hosts/hostnames belonging to the same domain, a wildcard >> > > CN comes to mind as well, eg. "*.domain.com". >> > Wild carding usually makes the security folks cringe. A bad guy can >> > stand up a malicious server, and the server appears legit to the >> > outside world due to the wild card. >> >> can you please elaborate on where you see a security drawback >> in the attack scenario you mentioned when using wildcard >> certs over non-wildcard certs? > > Anybody else? Jeff's been MIA since a week and I still can't see why anybody > would cringe... > > Patrick Eisenacher ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
