[LINK] More on the Uselessness of Dig Sig Certs
Roger Clarke
Roger.Clarke at xamax.com.au
Tue Jul 17 14:37:38 AEST 2012
At 20:47 -0700 16/7/12, Scott Howard wrote:
At 3:51 +0000 17/7/12, Kim Davies wrote:
> ... [clear explanations] ...
Thanks for that.
But I don't agree with this bit from Scott:
>There are zero browser problems here - the browser is doing
>*exactly* what it should be doing. ...
Safari 4.1.3 displays two different error-messages at different
stages, which confuses mug punters and gives them more reasons to
ignore the gobbledygook and just click <Okay>.
And how about the designer offering something constructive, like:
<click here to email the site's webmaster to notify them of the problem>?
________________________________________________________________________
On Mon, Jul 16, 2012 at 8:29 PM, Roger Clarke
<<mailto:Roger.Clarke at xamax.com.au>Roger.Clarke at xamax.com.au> wrote:
What's a mug punter meant to make of this?
Attempts to access
<https://www.medicareaustralia.gov.au/>https://www.medicareaustralia.gov.au/
<https://medicareaustralia.gov.au/>https://medicareaustralia.gov.au/
generate errors,
and the errors are inconsistent between browsers, and/or wrong.
(1) Safari 4.1.3 displays a small box containing:
>The certificate for this web-site has expired
[re-typed, because the idiot programmer made that message uncopiable]
When you expand the box, you get a *different* error-message:
>This certificate is not valid (host name mismatch).
Better yet, the names match, and the certificate is shown as date-valid.
Well.. Yes, and no.
The certificate being used is for
"<http://www.medicareaustralia.gov.au>www.medicareaustralia.gov.au",
and has no alternate names listed. If you access the site via the
hostname "<http://medicareaustralia.gov.au>medicareaustralia.gov.au"
then there is a hostname mis-match, and you will get an error.
The expired issue is a little more complex. The
<http://www.medicareaustralia.gov.au>www.medicareaustralia.gov.au
certificate is valid until August 7th 2012, however it is signed by
an intermediate certificate that expred on October 24th, 2011. This
looks like a huge screw-up on behalf of Verisign who issued the
certificate - they should never be issuing a cert with an
intermediate that expires before the cert itself, as it breaks the
chain of trust.
[But wait a minute, that the same domain as in the URL window]
SSL certs are issued to hostnames, not domains. The hostname doesn't
match, thus it's an error.
Added to that, it appears that the same problems exist with at least
some current browsers.
There are zero browser problems here - the browser is doing *exactly*
what it should be doing. There is at least one certificate problem
(cert signed by an expired intermediate) and at least one
user/website issue (using the incorrect hostname to access the site)
which could also be considered a certificate issue (no alternate name
included in the cert for the hostname without www.)
Scott
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list