Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Heinrich Strauss heinrich at
Sat Sep 10 08:47:02 UTC 2011

On 2011/09/10 05:06, Michael DeMan wrote:
> Sorry for being ignorant here - I have not even been aware that it is possible to buy a '*.*.com' domain at all.
> I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'.
Given a private network and the need to monitor it in a private 
company[1], we generated a certificate like this for internal use signed 
by a company-internal trusted certificate authority.

Also, given the Subject Alternative Name extension, it is quite possible 
to generate a "godmode" certificate for gracefully redirecting proxied 
HTTPS requests to an "Access Denied" page or even 
nefarious-purpose-logging machine.



More information about the NANOG mailing list