[cabfpub] EV Wildcards

Tim Shirley TShirley at trustwave.com
Fri Mar 20 15:37:36 UTC 2015

It seems like a different risk to me because I'm less likely to detect spoofing of a site that's unknown to me than a site that is known.  If they're spoofing my known site to MITM me, then they have to talk to my sites and I may detect them that way.  But if they're stealing my brand name in order to create a new site leveraging my brand, they don't need to touch my systems for anything, so it's easier for it to remain unknown to me.

The other scenario I can imagine is an internal management issue.  The owner of the wildcard cert within the organization intended it for certain high-profile external sites, but then another person within the organization (who shouldn't really have access to the key) copies it without the owner's knowledge to use for a test/prototype site for which it was not intended.

Maybe I was misunderstanding Bruce's scenario, and like I said I'm not sure how much weight to give these concerns.  But they do seem like incremental risks above what we have today with EV.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Friday, March 20, 2015 11:18 AM
To: Tim Shirley; Bruce Morton; Jeremy Rowley
Subject: Re: [cabfpub] EV Wildcards

On 20/03/15 14:29, Tim Shirley wrote:
> But now let’s say I had gotten an EV cert for *.http://scanmail.trustwave.com/?c=4062&d=x7qM1SMfk7ew3y7saBeekOinq3ds2nSOQjCx6OEoAg&s=5&u=http%3a%2f%2fexample%2ecom instead.
> Now I’ve opened up a new class of attack: the bad person could set up
> “othersite.example.com” and impersonate my company and there would be
> no way for me to know that rogue site even exists.

How exactly would they do that, technically?

If you say "DNS spoofing", then surely it's just as easy to spoof the DNS for http://www.example.com or http://login.example.com and so there's no additional risk.



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list