
Firefox, IE, Chrome and Common Names - adontz
I have found a really strange thing I have not heard about.<p>If you visit a TLS enabled website under name &quot;www.something.ext&quot;, but it provides certificate for &quot;something.ext&quot; only, I mean common name is &quot;something.ext&quot; and &quot;www.something.ext&quot; is NOT listed in alternate names, then Mozilla Firefox will report invalid certificate. Google Chrome and Internet Explorer show NO warnings. I&#x27;ve noticed this behavior first at https:&#x2F;&#x2F;www.vali.ge (actual content irrelevant), but pretty sure it is not web-site specific.<p>Usually &quot;www.something.ext&quot; is same site as &quot;something.ext&quot; but it does not have to. I consider this to be an intentional security vulnerability and really not happy about this.
======
lsiunsuex
Someone correct me if I'm wrong (I'm a bit rusty on A records and C-names) but
just because 2 addresses show the same content, does not necessarily mean they
are the same website. domain.tld is a different address from www.domain.tld
and by all accounts, could point to 2 different contents.

Most will re-direct to the other. So if I chose to use www.domain.tld I may
redirect domain.tld to www.domain.tld or vise-versa.

If you want a certificate that covers both domain.tld and www.domain.tld -
those are called wild card certificates and can cover totallyrandom.domain.tld
and superhappyfuntime.domain.tld and anything else you might need (email.,
webmail., catslol., etc...)

So a non-wildcard certificate placed on both www and non-www is in fact, not
valid because a regular every day certificate is only valid for 1 url.

~~~
adontz
There are also non-wildcard certificates, which are valid for multiple
specific names, but not the case I am discussing.

[https://www.digicert.com/subject-alternative-
name.htm](https://www.digicert.com/subject-alternative-name.htm)

~~~
lsiunsuex
Says it right in the marketing

"Secure Host Names on Different Base Domains in One SSL Certificate: A
Wildcard Certificate can protect all first-level subdomains on an entire
domain, such as *.example.com. However, a Wildcard Certificate cannot protect
both www.example.com and www.example.net."

That is in fact, a wildcard certificate, just not directly advertised as such.

