[LINK] More on the Uselessness of Dig Sig Certs

Scott Howard scott at doc.net.au
Tue Jul 17 13:47:48 AEST 2012 

On Mon, Jul 16, 2012 at 8:29 PM, Roger Clarke <Roger.Clarke at xamax.com.au>wrote:

> What's a mug punter meant to make of this?
>
> Attempts to access
> https://www.medicareaustralia.gov.au/
> https://medicareaustralia.gov.au/
> generate errors,
> and the errors are inconsistent between browsers, and/or wrong.
>
>
> (1)  Safari 4.1.3 displays a small box containing:
> >The certificate for this web-site has expired
> [re-typed, because the idiot programmer made that message uncopiable]
>
> When you expand the box, you get a *different* error-message:
> >This certificate is not valid (host name mismatch).
>
> Better yet, the names match, and the certificate is shown as date-valid.
>

Well.. Yes, and no.

The certificate being used is for "www.medicareaustralia.gov.au", and has
no alternate names listed.  If you access the site via the hostname "
medicareaustralia.gov.au" then there is a hostname mis-match, and you will
get an error.

The expired issue is a little more complex.  The
www.medicareaustralia.gov.au certificate is valid until August 7th 2012,
however it is signed by an intermediate certificate that expred on October
24th, 2011.  This looks like a huge screw-up on behalf of Verisign who
issued the certificate - they should never be issuing a cert with an
intermediate that expires before the cert itself, as it breaks the chain of
trust.

[But wait a minute, that the same domain as in the URL window]
>

SSL certs are issued to hostnames, not domains.  The hostname doesn't
match, thus it's an error.

Added to that, it appears that the same problems exist with at least
> some current browsers.
>

There are zero browser problems here - the browser is doing *exactly* what
it should be doing.  There is at least one certificate problem (cert signed
by an expired intermediate) and at least one user/website issue (using the
incorrect hostname to access the site) which could also be considered a
certificate issue (no alternate name included in the cert for the hostname
without www.)

  Scott

More information about the Link mailing list