OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Remembering Passwords in IE
From: Scott Renfro (scottRENFRO.ORG)
Date: Thu Apr 06 2000 - 11:11:05 CDT

On Wed, Apr 05, 2000 at 06:35:02PM +0100, Dom De Vitto wrote:
>
> I've a client that has two sets of systems, live and test.
>
> Live systems are https://www.whatever, test is https://www-test.whatever
>
> Though setup with identical files & certs (just different names)
> www-test never spits out any complaints from our browsers....
>
> I think the hostname->cert matching is "optional"...

The hostname->subject common name check isn't optional (or shouldn't
be and doesn't appear to be on NS and IE5), but both browsers
support the use of a '*' wildcard to allow matching multiple
machines in a single domain.

So a certificate issued to *.example.com would pass the name
check for www.example.com, test.example.com, and rogue.example.com.
The version 4 browsers (I haven't tried this lately) would
allow the * to be used to mask out larger namespaces (e.g.,
*.com). I don't remember, but it seems that one or more
browsers allowed a common name of '*' to match any domain name.

In practice, the rogue use of this feature (e.g., getting a
cert issued to '*' rather than '*.example.com') is supposed to
be prevented by diligent Certification Authorities. Are all
the issuing CAs under these 107 trusted root CAs that ship
with IE5 applying this diligence? Your guess is as good as mine.

-scott