LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Firefox security status

Firefox security status

Posted Jun 7, 2007 19:49 UTC (Thu) by Los__D (subscriber, #15263)
In reply to: Firefox security status by Thalience
Parent article: Firefox security status

Not true anymore.

The problem originally was that the certificate needs to be served before the headers can be decoded.

If you use the same certificate for all sites (now possible by having them all mentioned in the certificate using subjectAltName), there's no problem.

(Log in to post comments)

Firefox security status

Posted Jun 8, 2007 18:11 UTC (Fri) by jengelh (subscriber, #33263) [Link]

Do it the Sourceforge way. One certificate for "sourceforge.net"/www.sourceforge.net, and one for "*.sourceforge.net" that works for all the user projects.

Firefox security status

Posted Jun 8, 2007 21:19 UTC (Fri) by Los__D (subscriber, #15263) [Link]

I can't see how that would work with one IP/virtual hosts?

Before knowing which certificate to show, it'll need to know the hostname, before it can get to the hostname, it needs to decrypt, before it can decrypt, it needs to show a certificate, before knowing which certificate to show, it... And so on, and so forth...

Firefox security status

Posted Jun 8, 2007 21:32 UTC (Fri) by jengelh (subscriber, #33263) [Link]

The ten or so web servers that serve the projects' pages (http://yourproject.sf.net/) all serve exactly one certificate, which certifies "*.sourceforge.net" (yes, this literal string with an asterisk, w/o quotes). Most browsers support this wildcard.
(Minus the fact that project pages are not reachable over https right now...)

Firefox security status

Posted Jun 8, 2007 21:40 UTC (Fri) by Los__D (subscriber, #15263) [Link]

Of course, but you'd still need a seperate IP for the www.sf.net cert(and another for www.sourceforge.net and *.sourceforge.net), if you didn't use subjectAltName

Firefox security status

Posted Jun 8, 2007 21:56 UTC (Fri) by jengelh (subscriber, #33263) [Link]

I never claimed projects.sf.net is the same as www.sf.net. You would have found out by running /usr/bin/host anyway.

Firefox security status

Posted Jun 8, 2007 22:02 UTC (Fri) by Los__D (subscriber, #15263) [Link]

We were discussing if one will need more than one IP for several hosts, I thought that your www.sf.net/*.sf.net suggestion was about using one IP, also for www.sf.net.

I was obviously mistaken.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds