John Sutton wrote:
>
> At 01:34 05/07/98 +0200, you wrote:
[snip]
> Adam wrote:
>
> >It was the abstract to which I was referring - as I said, there are no
> >technical drawbacks (that I can think of)... However, if a user examines
> >your cert, (s)he will gain a lesser degree of comfort from something
> >that says '*.thing' than from 'specific.thing'. Since domains are not
> >tied to IP networks, and can therefore be anywhere, it is much easier to
> >hijack '<something>.thing' than 'this.particular.machine.thing' (and
> >before anyone jumps in and points out that if I can subvert the DNS of
> ><something>.thing, I could also do 'this.particular.machine.thing', my
> >point is that a new DNS entry could go unnoticed for much longer than a
> >changed one.). A 'trusted' '*.thing' cert is, therefore, a dangerous
> >thing to have lying around.
>
> I think I've got that. Can you confirm, in order to hijack a secure
> (virtual) server, the miscreant has to do two things:
>
> 1) get a copy of the SSLCertificateKeyFile and the matching SSLCertificateFile;
> 2) spoof the DNS for name contained therein.
>
> and then they are in business? (my business!)
That would do it.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers