mailing list archives
Re: TLS servers with overbroad certificates may mishandle diverted connections
From: Florian Weimer <fweimer () bfk de>
Date: Tue, 15 Mar 2011 07:37:01 +0000
* Matt McCutchen:
To test a server, simply view its certificate, choose a DNS name for
which the certificate is valid but for which the server is not listed in
DNS, and map that name to the server in your hosts file.
So you need a certificate to make this work. This is out of scope of
what TLS protects against. If you've got a breach on the X.509 side
of things, TLS won't help you (if you rely on X.509 certificates).
An HTTP redirect to a non-TLS site is bad: if it happens on a request
I agree that this can be a problem, but it is not a protocol issue.
It's a server-side misconfiguration, combined with a certificate that
was inappropriately acquired or shared.
Florian Weimer <fweimer () bfk de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/