Re: [TLS] Connection diversion to other subdomains

aerowolf@gmail.com Fri, 29 October 2010 04:18 UTC

Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 41F6C3A680E for <tls@core3.amsl.com>; Thu, 28 Oct 2010 21:18:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.866
X-Spam-Level:
X-Spam-Status: No, score=-0.866 tagged_above=-999 required=5 tests=[AWL=1.733, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mzKVqfLcveUT for <tls@core3.amsl.com>; Thu, 28 Oct 2010 21:18:40 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 73D183A67FE for <tls@ietf.org>; Thu, 28 Oct 2010 21:18:40 -0700 (PDT)
Received: by yxp4 with SMTP id 4so1883683yxp.31 for <tls@ietf.org>; Thu, 28 Oct 2010 21:20:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:date:message-id :subject:mime-version:content-type; bh=uz7vfFmEOWijYO3tBQusQbUEp7tkdEk5ffSfVo78i40=; b=QAmO59PLOmRx+/y8ZQHC6NjUySJnk1532hjfcZVsiJUjTZLKiOnRT0JjA+pJpQfgHj KzpwUHLpOxiiwGBQhXMnJdJvy3x4B39IDsrZ95JX5eicRWjoUlDl6Zvsc5anrDGmfZ3k GqlE1/3cxbL5M946n8O0vbnEW13dWc5p8kzNo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:date:message-id:subject:mime-version:content-type; b=PmWMnbt37m9frkFooTgGlfzrkLzQPVVTw7HSIQrY8PDZSG2dPmU86as0JIAwQuYMCB xFsbhaEk1o+AhZ27DK70W880/IMHlC/E24UWqSyzli6BlN0T1JzMcbo5/vD9sBXENPMW T8Ca2WUxoYV7K2cac7ZeJYqu4LMp5MrOF0XdI=
Received: by 10.150.11.6 with SMTP id 6mr5017839ybk.300.1288326033381; Thu, 28 Oct 2010 21:20:33 -0700 (PDT)
Received: from [127.0.0.1] (c-71-202-74-146.hsd1.ca.comcast.net [71.202.74.146]) by mx.google.com with ESMTPS id m12sm1385045ybn.12.2010.10.28.21.20.31 (version=SSLv3 cipher=RC4-MD5); Thu, 28 Oct 2010 21:20:32 -0700 (PDT)
From: aerowolf@gmail.com
To: "Matt McCutchen" <matt@mattmccutchen.net>
Date: Thu, 28 Oct 2010 21:20:30 -0700 (Pacific Daylight Time)
Message-ID: <gfuk1zfabvh7hh552nJYNxe982v3j_gmsm@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="gmsm0.4.7eqgfuk23sy70aaa1kmsr2"
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] Connection diversion to other subdomains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Oct 2010 04:18:43 -0000


On Wed, Oct 27, 2010 at 9:01 PM, Matt McCutchen <matt@mattmccutchen.net> wrote:

[re SNI and Host header mismatch]
> How can I get the message out to holders of wildcard certificates that
> they should prevent this attack?

First, what would your proposed remedy be?  What do you think the best behavior would be?  Where would you put whatever check you propose in the processing chain of the server?

-Kyle H