Re: [TLS] Connection diversion to other subdomains
Martin Rex <mrex@sap.com> Fri, 29 October 2010 19:25 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 649863A6821 for <tls@core3.amsl.com>; Fri, 29 Oct 2010 12:25:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.901
X-Spam-Level:
X-Spam-Status: No, score=-9.901 tagged_above=-999 required=5 tests=[AWL=0.348, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7IDbhaG8NIv for <tls@core3.amsl.com>; Fri, 29 Oct 2010 12:25:23 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 30BA23A67D1 for <tls@ietf.org>; Fri, 29 Oct 2010 12:25:23 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o9TJRFEd009347 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 29 Oct 2010 21:27:15 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201010291927.o9TJREsv012079@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Fri, 29 Oct 2010 21:27:14 +0200
In-Reply-To: <4CCAE36B.3030403@extendedsubset.com> from "Marsh Ray" at Oct 29, 10 10:08:27 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal03
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Connection diversion to other subdomains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Oct 2010 19:25:24 -0000
Marsh Ray wrote: > > On 10/27/2010 11:01 PM, Matt McCutchen wrote: > > Strictly speaking, this is a vulnerability. Usually the > > effect is just goofy, though on one major web site which I won't name, > > it led to XSS. > > > > How can I get the message out to holders of wildcard certificates that > > they should prevent this attack? > > I've always been suspicious of wildcard certs, but didn't have real > ammunition to argue against them. You may have identified one, but > people may point out that it's only an issue in combination with the > known problem of HTTP servers accepting invalid Host headers. This is NOT an attack on TLS or TLS server certs. And the assumption that the use of TLS would prevent a behaviour that exists just the same for this server on port 80 is naive. Virtual hosting of Web Servers is a convenience function, and whether and how much seperation of content actually exists is completely at the discretion of the server. The use of TLS provides a protected communication channel between two endpoints. It does not add anything to the trustworthyness of the communication within. Any server features visible on port 80 will likely be available in just the same fashion on port 443. The Garbage-in, garbage-out principle is not affected by replacing the garbage truck with an armoured car with security guards while still delivering the very same contents of the very same garbage bins. -Martin
- [TLS] Server Name Indication (SNI) in an IPv6 wor… =JeffH
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Simon Josefsson
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Matt McCutchen
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Matt McCutchen
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Steingruebl, Andy
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Marsh Ray
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Steingruebl, Andy
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Marsh Ray
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Michael D'Errico
- [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Steven Bellovin
- Re: [TLS] Server Name Indication (SNI) in an IPv6… aerowolf
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Connection diversion to other subdomains Martin Rex
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Dean Anderson
- Re: [TLS] Connection diversion to other subdomains Florian Weimer
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Florian Weimer
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Joe Orton
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen