[Users] [Bug 3660] SSL Cert change shown on previously accepted certificates.

Andrej Kacian andrej at kacian.sk
Thu Aug 4 13:39:57 CEST 2016


On Thu, 4 Aug 2016 21:15:36 +1000
blind Pete <peter_s_d at fastmail.com.au> wrote:

> On Thu, 28 Jul 2016 20:09:19 +1000
> blind Pete <peter_s_d at fastmail.com.au> wrote:
> 
> [snip]
> > Case two; one URL, multiple certificates.  Is that 
> > really dangerous?  How? 
> [snip]
> 
> It was a serious question guys.  
> 
> The nearest information that I can find about it is,
> <https://www.kb.cert.org/vuls/id/591120>, but that is about what
> happens when a certificate is fraudulently obtained - not two valid
> certificates.  
> 
> When rarely offered a change of certificate for a site, I read it.  
> When I have to repeatedly click through a random choice of two I am
> likely to be less careful.  
> 

One URL, multiple certificates is easy to "achieve" if the host part of
the URL is a round-robin DNS record, so you're in fact connecting to
several different endpoints. All it takes is for one of them not having
the latest updated certificate.

That is the case with gmail, like Paul mentioned in sibling post.

Regards,
-- 
Andrej



More information about the Users mailing list