Happy birthday to Let’s Encrypt !

Huge thanks to everyone involved in making HTTPS available to everyone for free !

  • lud@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    23 hours ago

    If one system is somehow compromised, the attacker could effectively impersonate all the systems on your entire domain if they had the wildcard cert. Maybe it’s not a huge deal for individuals but for companies or other organisations it could be extremely dangerous.

    If someone wanted a wildcard cert at work I would be very cautious before I even considered issuing one. Unfortunately there are a few wildcard certs on our domain, but those are from before my time.

    • pcouy@lemmy.pierre-couy.frOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      13 hours ago

      Having a certificate for any subdomain has implications for other sibling domains, even without a wildcard certificate.

      By default, web browsers are a lot less strict about Same Origin Policy for sibling domains, which enables a lot of web-based attacks (like CSRF and cookie stealing) if your able to hijack any subdomain