1. 13

    The RFC explicitly forbids this kind of use, only allowing the lowest identifier to be a wildcard, and only if it is not a public suffix itself.

    This is very surprising that browsers don’t match on this properly.

    1. 16

      While it’s a little easier for you to write “the RFC”, it would be helpful for you to mention which RFC for those of us reading.

      1. 3

        https://tools.ietf.org/html/rfc6125#section-6.4.3 says SHOULD.

        What are you talking about?

        1. 1

          The Certification Authority (CA)/Browser Forum baseline requirements (11.1.3) require that before issuing a wildcard certificate, Certificate Authorities ensure that such a certificate is not issued for entries in the Mozilla PSL, e.g. *.co.uk,or that the entity actually owns the entirety of the public suffix

          Please read all sub-threads before posting a reply :)

          1. 3

            This is an requirement for CA’s, not user agents. This certificate would not be issued by a (public) CA, but it is not invalid for browsers. It is perfectly valid for private CA’s to do this, e.g. so you could MITM all of your workers traffic.

        2. 2

          Which RFC? How is “public suffix” defined? Does it simply defer to the Public Suffix List?

          1. 2

            There are two kinds of public suffixes – those defined by ICANN, also included in the public suffix list, and the not really official private definitions in the public suffix list.

            And quoting the ICANN advisory on this:

            The Certification Authority (CA)/Browser Forum baseline requirements (11.1.3) require that before issuing a wildcard certificate, Certificate Authorities ensure that such a certificate is not issued for entries in the Mozilla PSL, e.g. *.co.uk,or that the entity actually owns the entirety of the public suffix

            So while it’s not an RFC, it’s still a standard – and an even stronger at that

            1. 3

              it’s still a standard – and an even stronger at that

              You are confused. That is not a quote from a standard for web browsers or TLS implementations, but for people who want to make a certificate signing authority that CA/B members (like Mozilla, Google, Microsoft, and so on) would include in their web browsers.

              There are lots of reasons to make certificates that Mozilla (For example) would not include in the Firefox web browser, and it is required that valid TLS implementations interpret them according to the actual standard where that’s broader than what you’re reading here.

              1. 3

                Sounds like a political limitation, not a technical limitation. Unless SSL consumers start to enforce this on their end, it wouldn’t prevent a malicious CA from issuing a cert like this that could be used to MITM all traffic.

                1. 6

                  Sounds like a political limitation, not a technical limitation.

                  That’s the state of web PKI in a single sentence.

                  1. 4

                    That’s exactly the point – I was expecting browsers to actually implement this spec and verify this for certificates (as I already do this in a limited way in Quasseldroid)

            1. 4

              I’ve had several conversations with non-technical friends along these lines: replacing “bugs” in this article with “mistakes” provides a good approach to life in general.

              Not apologising and not caring differ. When I make mistakes, I try to help the people affected, and I assess what I might change in future. I still apologise, but I aim to do so less often and save apology for particularly significant occasions.

              1. 14

                The possibility to test the compiler on almost all public Rust code is amazing, and it’s possible thanks to Cargo being the standard build system. Can you imagine the effort to build and run tests on 30000 random C projects?

                1. 17

                  Perl has been doing this for over more than a decade, building and testing everything on CPAN. http://stats.cpantesters.org/

                  1. 5

                    I gave a talk recently about how Perl’s monthly releases happen which covered this and more.

                    1. 2

                      That’s amazing, I had no idea.

                    2. 3

                      I actually was imagining that recently for benchmarking verification and testing tools. I found that they’re hosted in many places, use a bunch of different build systems, preprocessor magic that hurts reproducibility, and (see Coverity paper) most seem to pick a different dialect of C which may or may not be analyzable.

                      Just getting them all pulled and buildable for first benchmark would be a nightmare.

                      1. 1

                        There are a lot of languages I think could theoretically do this. D for example could do with dub I would think.

                        1. 1

                          Sure, all you need is a registry. But we’re doing it since… Forever.

                        2. 1

                          Julia does something similar, I think

                        1. 2

                          Busily finishing organising this year’s London Perl Workshop on Saturday including finalising the schedule this morning.

                          1. 6

                            It looks like 10% of Internet users don’t use browsers that support this so I suggest it’s too early to declare CSRF dead.

                            1. 4

                              This one is just one of many security features these browsers don’t have. If these users haven’t updated their browsers for so many years, they’re probably not installing regular security patches too.