W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

RE: FW: .safe TLD idea from ICANN

From: Luis Barriga \(KI/EAB\) <luis.barriga@ericsson.com>
Date: Mon, 16 Apr 2007 15:23:55 +0200
Message-ID: <1C6A13C92F510849B72272A71F9F3BCBE74B5B@esealmw105.eemea.ericsson.se>
To: <yngve@opera.com>, "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, "<michael.mccormick" <michael.mccormick@wellsfargo.com>
Cc: <public-wsc-wg@w3.org>

Actually, RFC 2818 specifies two options when the typed hostname and
cert ID don't match each pther: the client either notifies the user
(allowing to continue) or the client terminates the connection. I guess
the latter option is a policy for corporate clients.

BTW, I made a test accessing my Swedish bank over https:// on a mobile
phone and found that the built-in browser also notifies about the
mismatch, according to RFC2818, though with a slightly different
notification: "the server's identity couldn't be verified". 

However, the Opera minibrowser on the same phone didn't make any
notification att all. It silently ended in the non-secure bank's web
page http://.

Luis

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Yngve Nysaeter Pettersen
Sent: den 16 april 2007 14:53
To: Mary Ellen Zurko; <michael.mccormick
Cc: public-wsc-wg@w3.org
Subject: Re: FW: .safe TLD idea from ICANN


On Mon, 16 Apr 2007 14:27:36 +0200, Mary Ellen Zurko
<Mary_Ellen_Zurko@notesdev.ibm.com> wrote:

> Which reminds me of an error I was a bit suprised at (though not on 
> reflection). I typed in my bank's home page with https, but with .com 
> (it's really a .org). So I got an SSL error telling me "the name on 
> the security certificate is invalid or does not match the name of the
site".
> Neither of which is quite accurate. The cert matches the site that is 
> being brought up; I'm just being redirected because I made a common 
> mistake. So, oddly, won't all those users used to typing .com get SSL 
> errors when redirected to .safe (if https is specified)?

The client is required, by RFC 2818, to check the HTTP hostname agains
the
name(s) of the server in the certificate and warn the user if they do
not match.

A certificate can contain multiple hostnames through an extension, or by
using a wildcard syntax. Such certificates tend to be more expensive
though.

The common mistake is to assign the same IP address to the aliases of a
hostname, but forget to make the certificate name all the alternative
hostnames.

The TLS ServerName extension (supported by Opera 9) will eventually
provide a better method for handling multiple identity servers.

I think the impact of mistakes such as the one Mez made is going to be
limited, since most average users do not specify the https part.

--
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer		             Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************
Received on Monday, 16 April 2007 13:24:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:46 GMT