Mozilla Foundation Security Advisory 2010-70

SSL wildcard certificate matching IP addresses

Announced
October 19, 2010
Reporter
Richard Moore
Impact
Moderate
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.14
  • Firefox 3.6.11
  • SeaMonkey 2.0.9
  • Thunderbird 3.0.9
  • Thunderbird 3.1.5

Description

Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority.

References