[LINK] More on the Uselessness of Dig Sig Certs
scott at doc.net.au
Tue Jul 17 13:47:48 AEST 2012
On Mon, Jul 16, 2012 at 8:29 PM, Roger Clarke <Roger.Clarke at xamax.com.au>wrote:
> What's a mug punter meant to make of this?
> Attempts to access
> generate errors,
> and the errors are inconsistent between browsers, and/or wrong.
> (1) Safari 4.1.3 displays a small box containing:
> >The certificate for this web-site has expired
> [re-typed, because the idiot programmer made that message uncopiable]
> When you expand the box, you get a *different* error-message:
> >This certificate is not valid (host name mismatch).
> Better yet, the names match, and the certificate is shown as date-valid.
Well.. Yes, and no.
The certificate being used is for "www.medicareaustralia.gov.au", and has
no alternate names listed. If you access the site via the hostname "
medicareaustralia.gov.au" then there is a hostname mis-match, and you will
get an error.
The expired issue is a little more complex. The
www.medicareaustralia.gov.au certificate is valid until August 7th 2012,
however it is signed by an intermediate certificate that expred on October
24th, 2011. This looks like a huge screw-up on behalf of Verisign who
issued the certificate - they should never be issuing a cert with an
intermediate that expires before the cert itself, as it breaks the chain of
[But wait a minute, that the same domain as in the URL window]
SSL certs are issued to hostnames, not domains. The hostname doesn't
match, thus it's an error.
Added to that, it appears that the same problems exist with at least
> some current browsers.
There are zero browser problems here - the browser is doing *exactly* what
it should be doing. There is at least one certificate problem (cert signed
by an expired intermediate) and at least one user/website issue (using the
incorrect hostname to access the site) which could also be considered a
certificate issue (no alternate name included in the cert for the hostname
More information about the Link