- From: Luis Barriga \(KI/EAB\) <luis.barriga@ericsson.com>
- Date: Mon, 16 Apr 2007 15:23:55 +0200
- To: <yngve@opera.com>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "<michael.mccormick" <michael.mccormick@wellsfargo.com>
- Cc: <public-wsc-wg@w3.org>
Actually, RFC 2818 specifies two options when the typed hostname and cert ID don't match each pther: the client either notifies the user (allowing to continue) or the client terminates the connection. I guess the latter option is a policy for corporate clients. BTW, I made a test accessing my Swedish bank over https:// on a mobile phone and found that the built-in browser also notifies about the mismatch, according to RFC2818, though with a slightly different notification: "the server's identity couldn't be verified". However, the Opera minibrowser on the same phone didn't make any notification att all. It silently ended in the non-secure bank's web page http://. Luis -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Yngve Nysaeter Pettersen Sent: den 16 april 2007 14:53 To: Mary Ellen Zurko; <michael.mccormick Cc: public-wsc-wg@w3.org Subject: Re: FW: .safe TLD idea from ICANN On Mon, 16 Apr 2007 14:27:36 +0200, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> wrote: > Which reminds me of an error I was a bit suprised at (though not on > reflection). I typed in my bank's home page with https, but with .com > (it's really a .org). So I got an SSL error telling me "the name on > the security certificate is invalid or does not match the name of the site". > Neither of which is quite accurate. The cert matches the site that is > being brought up; I'm just being redirected because I made a common > mistake. So, oddly, won't all those users used to typing .com get SSL > errors when redirected to .safe (if https is specified)? The client is required, by RFC 2818, to check the HTTP hostname agains the name(s) of the server in the certificate and warn the user if they do not match. A certificate can contain multiple hostnames through an extension, or by using a wildcard syntax. Such certificates tend to be more expensive though. The common mistake is to assign the same IP address to the aliases of a hostname, but forget to make the certificate name all the alternative hostnames. The TLS ServerName extension (supported by Opera 9) will eventually provide a better method for handling multiple identity servers. I think the impact of mistakes such as the one Mez made is going to be limited, since most average users do not specify the https part. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Monday, 16 April 2007 13:24:01 UTC