[LINK] More on the Uselessness of Dig Sig Certs

Roger Clarke Roger.Clarke at xamax.com.au
Tue Jul 17 14:37:38 AEST 2012 

At 20:47 -0700 16/7/12, Scott Howard wrote:
At 3:51 +0000 17/7/12, Kim Davies wrote:
>   ...  [clear explanations]  ...

Thanks for that.

But I don't agree with this bit from Scott:
>There are zero browser problems here - the browser is doing 
>*exactly* what it should be doing.  ...

Safari 4.1.3 displays two different error-messages at different 
stages, which confuses mug punters and gives them more reasons to 
ignore the gobbledygook and just click <Okay>.

And how about the designer offering something constructive, like:
<click here to email the site's webmaster to notify them of the problem>?


________________________________________________________________________


On Mon, Jul 16, 2012 at 8:29 PM, Roger Clarke 
<<mailto:Roger.Clarke at xamax.com.au>Roger.Clarke at xamax.com.au> wrote:

What's a mug punter meant to make of this?

Attempts to access
<https://www.medicareaustralia.gov.au/>https://www.medicareaustralia.gov.au/
<https://medicareaustralia.gov.au/>https://medicareaustralia.gov.au/
generate errors,
and the errors are inconsistent between browsers, and/or wrong.

(1)  Safari 4.1.3 displays a small box containing:
>The certificate for this web-site has expired
[re-typed, because the idiot programmer made that message uncopiable]

When you expand the box, you get a *different* error-message:
>This certificate is not valid (host name mismatch).

Better yet, the names match, and the certificate is shown as date-valid.


Well.. Yes, and no.

The certificate being used is for 
"<http://www.medicareaustralia.gov.au>www.medicareaustralia.gov.au", 
and has no alternate names listed.  If you access the site via the 
hostname "<http://medicareaustralia.gov.au>medicareaustralia.gov.au" 
then there is a hostname mis-match, and you will get an error.

The expired issue is a little more complex.  The 
<http://www.medicareaustralia.gov.au>www.medicareaustralia.gov.au 
certificate is valid until August 7th 2012, however it is signed by 
an intermediate certificate that expred on October 24th, 2011.  This 
looks like a huge screw-up on behalf of Verisign who issued the 
certificate - they should never be issuing a cert with an 
intermediate that expires before the cert itself, as it breaks the 
chain of trust.

[But wait a minute, that the same domain as in the URL window]


SSL certs are issued to hostnames, not domains.  The hostname doesn't 
match, thus it's an error.

Added to that, it appears that the same problems exist with at least
some current browsers.


There are zero browser problems here - the browser is doing *exactly* 
what it should be doing.  There is at least one certificate problem 
(cert signed by an expired intermediate) and at least one 
user/website issue (using the incorrect hostname to access the site) 
which could also be considered a certificate issue (no alternate name 
included in the cert for the hostname without www.)

   Scott


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list