Re: TLS servers with overbroad certificates may mishandle diverted connections

[Florian Weimer <fweimer () bfk de>]

* Matt McCutchen:

> To test a server, simply view its certificate, choose a DNS name for
> which the certificate is valid but for which the server is not listed in
> DNS, and map that name to the server in your hosts file.

So you need a certificate to make this work.  This is out of scope of
what TLS protects against.  If you've got a breach on the X.509 side
of things, TLS won't help you (if you rely on X.509 certificates).

> An HTTP redirect to a non-TLS site is bad: if it happens on a request
> for a JavaScript file, the attacker can now inject malicious code.

I agree that this can be a problem, but it is not a protocol issue.
It's a server-side misconfiguration, combined with a certificate that
was inappropriately acquired or shared.

-- 
Florian Weimer                <fweimer () bfk de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/