On Mon, Feb 10, 2014 at 6:12 PM, Mark Nottingham <mnot@xxxxxxxx> wrote:
Hello,
The TLS certificates presented for example.org, example.net and example.com are not valid for those respective domains, resulting in a certificate error when navigated to from browsers. E.g.,
https://example.org/
I'm getting feedback from the outside world that this is causing people *not* to use these domains as examples (e.g., in books) because it sends a bad message about security best practices.
Given the IETF's desire to a) promote good security practices, and b) promote the use of these domains as per RFC2606, could we please get these served with a valid certificate?
I don't think they know they have SSL on those domains, let alone intended to deploy.
SSL has a protocol boo-boo in that the original designer didn't realize IPv4 exhaustion was going to be an issue. So the original SSL protocol did not include the domain the client is trying to connect to in the handshake (since fixed).
As a result it is possible to use https to connect to about 80% of the sites on the net if you will accept a cert for a completely different domain.
Peter Eckersley at the EFF is currently trying to use this for his 'ssl everywhere' hack. Which is great for blocking pervasive intercept and no good against an active attack or to establish accountability.
Website: http://hallambaker.com/