@sleevi_ *http://band.example.com has an asterisk in the leftmost position. So does *bar*.example.net and *f*c*.example.org
-
-
Replying to @mik235
@mik235@pzb@sleevi_ I read it the same way as Peter. Regardless, I removed support for *http://x.example.com and x*.example.com from Fx.1 reply 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____@mik235@pzb Right, as we did in Chrome. So *shrug*1 reply 0 retweets 0 likes -
Replying to @sleevi_
@sleevi_@BRIAN_____@pzb so the CAs may choose to sign them, but the customer will have a useless certificate2 replies 0 retweets 0 likes -
Replying to @mik235
@mik235@BRIAN_____@pzb Useless for browsers, but that doesn't mean there aren't attack scenarios that they might leverage.1 reply 0 retweets 0 likes -
Replying to @sleevi_
@sleevi_@BRIAN_____@pzb HA! Browsers are the only program I've ever seen that even verifies the trust chain, let alone hostname stuff...1 reply 0 retweets 0 likes -
Replying to @mik235
@mik235@BRIAN_____@pzb Go does. AIUI Ruby does now, thanks to@bascule (AIUI). Python does, due to@ChristianHeimes. The world gets better2 replies 0 retweets 0 likes -
Replying to @sleevi_
@sleevi_@mik235@BRIAN_____@pzb@ChristianHeimes Ruby hostname verification fixes shipping soon. CVE-2015-1855: https://github.com/ruby/openssl/pull/12/files …2 replies 1 retweet 0 likes
@ChristianHeimes @mik235 @sleevi_ @BRIAN_____ @pzb yeah, the IDNA, and also *.*.* lol ;_;
-
-
Replying to @ChristianHeimes
@ChristianHeimes@mik235@sleevi_@BRIAN_____@pzb yeah, I suppose the other cool thing about my patch is it does away with all regexps0 replies 0 retweets 2 likes
End of conversation
New conversation
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.