Mozilla Foundation Security Advisory 2014-45

Incorrect IDNA domain name matching for wildcard certificates

Announced
April 29, 2014
Reporter
Christian Heimes
Impact
Moderate
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 29
  • SeaMonkey 2.26

Description

Security researcher Christian Heimes reported that the Network Security Services (NSS) library does not handle IDNA domain prefixes according to RFC 6125 for wildcard certificates. This leads to improper wildcard matching of domains when they should not be matched in compliance with the specification. This issue was fixed in NSS version 3.16.

References