
Jacob Appelbaum: attackers got certs for *.*.com and *.*.org - rw
https://twitter.com/#!/ioerror/status/110387909890285568
======
ynoclo
RFC2818 (the 'HTTP over TLS' specification) says that names may contain the
wildcard character, which is considered to match any single domain name
component or component fragment. E.g., ＊.a.com matches foo.a.com but not
bar.foo.a.com. f＊.com matches foo.com but not bar.com.

A careful reading of this wording does not seem to rule out the use of more
than one wildcard, e.g. '＊.＊.com'. That's unfortunate. It likely depends on
the particular browser's TLS implementation as to whether more than one
wildcard in a name would be processed.

------
0x0
So would those certs be accepted by normal browsers? Couldn't the public
suffix list be used to reject such overlay broad wildcards?

