https - hopefully not too stupid a question
Jon Ribbens
jon+ukcrypto at unequivocal.co.uk
Sun Jun 17 18:43:34 BST 2012
On Sun, Jun 17, 2012 at 05:57:41PM +0100, Roland Perry wrote:
> In article <4FDE04AF.5000903 at zen.co.uk>, Peter Fairbrother
> <zenadsl6186 at zen.co.uk> writes
>> I think the browsers are looking to check the hostname in the requested
>> URL matches the hostname in the certificate - and it doesn't,
>> 65.55.25.59 != www.update.microsoft.com
>>
>> Both actions seem like perfectly good behaviour to me.
>
> As a "user" I'd expect the browser to connect the two concepts, it's not
> as if DNS hasn't been invented yet.
It would be a security hole if it worked as you suggest - the whole
point of SSL is that you can know who you're talking to (and that
you can't be overheard). How many users are going to know that
"65.55.25.59" is who they want to talk to, and "65.22.25.59" is not?
It's bad enough already with hostnames that look similar!
More information about the ukcrypto
mailing list