https - hopefully not too stupid a question

Peter Fairbrother zenadsl6186 at
Sun Jun 17 18:58:38 BST 2012

Roland Perry wrote:
> In article <4FDE04AF.5000903 at>, Peter Fairbrother 
> <zenadsl6186 at> writes
>> I think the browsers are looking to check the hostname in the 
>> requested URL matches the hostname in the certificate - and it 
>> doesn't, !=
>> Both actions seem like perfectly good behaviour to me.
> As a "user" I'd expect the browser to connect the two concepts, it's not 
> as if DNS hasn't been invented yet.

Let me rephrase that - they seem like secure behaviour.

Mismatches between hostname strings in requested URLS and hostname 
strings in certificates are probably the most common cause of false 
positive security alerts in browsers

- witness the recent "Query on security certificates (possibly OT)" 
thread here -

but I can think of no other realistic and secure way than to ensure that 
the strings match, and that the certificate owner is who the user thinks 
he is.

And it's solely up to the website owner to ensure that the strings match -

- if he links to a page named "" rather than 
"" then he only has himself to blame if we think his 
coders cannot be properly security-minded if they made that kiddy mistake,

- and moreover, if we wonder at how this update could have been 
committed when it was in such an untested state as to produce 
certificate warnings.

-- Peter F

More information about the ukcrypto mailing list