IETF Logo Mail Archive

Re: [TLS] RFC 2818 wildcard rationale

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Tue, 01 May 2012 12:06 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4128021E8048 for <tls@ietfa.amsl.com>; Tue, 1 May 2012 05:06:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.789
X-Spam-Level: **
X-Spam-Status: No, score=2.789 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_SPOOF_COM2COM=2.536, SARE_SPOOF_COM2OTH=2.536, SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJtdnTjuFNIu for <tls@ietfa.amsl.com>; Tue, 1 May 2012 05:06:29 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 1166C21F855A for <tls@ietf.org>; Tue, 1 May 2012 05:06:21 -0700 (PDT)
Received: from acorna.invalid.invalid (106.170.202.84.customer.cdi.no [84.202.170.106]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q41C6Gun010879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <tls@ietf.org>; Tue, 1 May 2012 12:06:17 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org
References: <CADKevbAKS7DQ19XYXhyN6JSLAR2C155Mp0hqTXiMHreFueOg4A@mail.gmail.com>
Date: Tue, 01 May 2012 14:06:19 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.wdmo8rtcqrq7tp@acorna.invalid.invalid>
In-Reply-To: <CADKevbAKS7DQ19XYXhyN6JSLAR2C155Mp0hqTXiMHreFueOg4A@mail.gmail.com>
User-Agent: Opera Mail/10.63 (Win32)
Subject: Re: [TLS] RFC 2818 wildcard rationale
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 12:06:30 -0000

On Tue, 01 May 2012 13:45:58 +0200, Chris Richardson  
<chris@randomnonce.org> wrote:

> RFC 2818 states:
>
> Names may contain the wildcard
> character * which is considered to match any single domain name
> component or component fragment. E.g., *.a.com matches foo.a.com but
> not bar.foo.a.com.
>
> I was trying to figure out the rationale behind this, but have been
> unable to do so.  I was hoping someone could enlighten me.
>
> Suppose that:
> (1): *.example.com matched a.b.example.com
> (2): *.example.com matched example.com.
>
> What security problems exist with (1) and/or (2) that are solved by
> following the rules of 2818?  Anything more than preventing a single *
> from matching the entire internet?

Regarding #1, if * matched multiple labels, it would match  
www.yourbank.com.whatever.example.com, which would be a very bad thing  
since it can mislead users into thinking that they are visiting  
"www.yourbank.com".

Regarding #2, I don't think that would introduce any real badness, except  
having to edit the rulestring, which make already complex logic more  
complex, and more likely to fail an unsecure manner (there is also the  
fact that you can have "f*.example.com", which should not allow #2 to be  
generated, causing more complexity). However, adding a separate rule for  
"example.com" in the SAN field is very simple.

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************

v2.23.0 | Report a Bug | By Email