[Users] [Bug 3660] SSL Cert change shown on previously accepted certificates.
blind Pete
peter_s_d at fastmail.com.au
Mon Aug 8 07:40:04 CEST 2016
On Thu, 4 Aug 2016 13:39:57 +0200
Andrej Kacian <andrej at kacian.sk> wrote:
> On Thu, 4 Aug 2016 21:15:36 +1000
> blind Pete <peter_s_d at fastmail.com.au> wrote:
>
> > On Thu, 28 Jul 2016 20:09:19 +1000
> > blind Pete <peter_s_d at fastmail.com.au> wrote:
> >
> > [snip]
> > > Case two; one URL, multiple certificates. Is that
> > > really dangerous? How?
> > [snip]
> >
> > It was a serious question guys.
> >
> > The nearest information that I can find about it is,
> > <https://www.kb.cert.org/vuls/id/591120>, but that is about what
> > happens when a certificate is fraudulently obtained - not two valid
> > certificates.
> >
> > When rarely offered a change of certificate for a site, I read it.
> > When I have to repeatedly click through a random choice of two I am
> > likely to be less careful.
> >
>
> One URL, multiple certificates is easy to "achieve" if the host part
> of the URL is a round-robin DNS record, so you're in fact connecting
> to several different endpoints. All it takes is for one of them not
> having the latest updated certificate.
>
> That is the case with gmail, like Paul mentioned in sibling post.
>
> Regards,
OK I am very slowly getting somewhere.
That is exactly the case that I was thinking of, and I suspect that
the original poster was thinking of that too.
It might take Gmail a few hours to propagate new certificates, but
that is a very minor risk compared to everything else that I was
thinking of.
--
testing
bP
More information about the Users
mailing list