https - hopefully not too stupid a question
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sun Jun 17 18:58:38 BST 2012
Roland Perry wrote:
> In article <4FDE04AF.5000903 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
>> I think the browsers are looking to check the hostname in the
>> requested URL matches the hostname in the certificate - and it
>> doesn't, 65.55.25.59 != www.update.microsoft.com
>>
>> Both actions seem like perfectly good behaviour to me.
>
> As a "user" I'd expect the browser to connect the two concepts, it's not
> as if DNS hasn't been invented yet.
Let me rephrase that - they seem like secure behaviour.
Mismatches between hostname strings in requested URLS and hostname
strings in certificates are probably the most common cause of false
positive security alerts in browsers
- witness the recent "Query on security certificates (possibly OT)"
thread here -
but I can think of no other realistic and secure way than to ensure that
the strings match, and that the certificate owner is who the user thinks
he is.
And it's solely up to the website owner to ensure that the strings match -
- if he links to a page named "trading.ANONYMISED.co.uk" rather than
"www.ANONYMISED.co.uk" then he only has himself to blame if we think his
coders cannot be properly security-minded if they made that kiddy mistake,
- and moreover, if we wonder at how this update could have been
committed when it was in such an untested state as to produce
certificate warnings.
-- Peter F
More information about the ukcrypto
mailing list