Re: [TLS] RFC 2818 wildcard rationale
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Tue, 01 May 2012 12:06 UTC
Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4128021E8048 for <tls@ietfa.amsl.com>; Tue, 1 May 2012 05:06:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.789
X-Spam-Level: **
X-Spam-Status: No, score=2.789 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_SPOOF_COM2COM=2.536, SARE_SPOOF_COM2OTH=2.536, SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJtdnTjuFNIu for <tls@ietfa.amsl.com>; Tue, 1 May 2012 05:06:29 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1166C21F855A for <tls@ietf.org>; Tue, 1 May 2012 05:06:21 -0700 (PDT)
Received: from acorna.invalid.invalid (106.170.202.84.customer.cdi.no [84.202.170.106]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q41C6Gun010879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <tls@ietf.org>; Tue, 1 May 2012 12:06:17 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org
References: <CADKevbAKS7DQ19XYXhyN6JSLAR2C155Mp0hqTXiMHreFueOg4A@mail.gmail.com>
Date: Tue, 01 May 2012 14:06:19 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.wdmo8rtcqrq7tp@acorna.invalid.invalid>
In-Reply-To: <CADKevbAKS7DQ19XYXhyN6JSLAR2C155Mp0hqTXiMHreFueOg4A@mail.gmail.com>
User-Agent: Opera Mail/10.63 (Win32)
Subject: Re: [TLS] RFC 2818 wildcard rationale
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 12:06:30 -0000
On Tue, 01 May 2012 13:45:58 +0200, Chris Richardson <chris@randomnonce.org> wrote: > RFC 2818 states: > > Names may contain the wildcard > character * which is considered to match any single domain name > component or component fragment. E.g., *.a.com matches foo.a.com but > not bar.foo.a.com. > > I was trying to figure out the rationale behind this, but have been > unable to do so. I was hoping someone could enlighten me. > > Suppose that: > (1): *.example.com matched a.b.example.com > (2): *.example.com matched example.com. > > What security problems exist with (1) and/or (2) that are solved by > following the rules of 2818? Anything more than preventing a single * > from matching the entire internet? Regarding #1, if * matched multiple labels, it would match www.yourbank.com.whatever.example.com, which would be a very bad thing since it can mislead users into thinking that they are visiting "www.yourbank.com". Regarding #2, I don't think that would introduce any real badness, except having to edit the rulestring, which make already complex logic more complex, and more likely to fail an unsecure manner (there is also the fact that you can have "f*.example.com", which should not allow #2 to be generated, causing more complexity). However, adding a separate rule for "example.com" in the SAN field is very simple. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 23 69 32 60 Fax: +47 23 69 24 01 ********************************************************************
- [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RFC 2818 wildcard rationale Peter Saint-Andre
- Re: [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Martin Rex