- cross-posted to:
- cybersecurity@sh.itjust.works
- cross-posted to:
- cybersecurity@sh.itjust.works
Happy birthday to Let’s Encrypt !
Huge thanks to everyone involved in making HTTPS available to everyone for free !
Happy birthday to Let’s Encrypt !
Huge thanks to everyone involved in making HTTPS available to everyone for free !
If one system is somehow compromised, the attacker could effectively impersonate all the systems on your entire domain if they had the wildcard cert. Maybe it’s not a huge deal for individuals but for companies or other organisations it could be extremely dangerous.
If someone wanted a wildcard cert at work I would be very cautious before I even considered issuing one. Unfortunately there are a few wildcard certs on our domain, but those are from before my time.
Having a certificate for any subdomain has implications for other sibling domains, even without a wildcard certificate.
By default, web browsers are a lot less strict about Same Origin Policy for sibling domains, which enables a lot of web-based attacks (like CSRF and cookie stealing) if your able to hijack any subdomain