> De : launchpad-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:launchpad-users- > > (still bogous, because its security certificate is completely > > invalid, and does not pass the HTTPS validation performed in browsers, > > as it attempts to reuse a certificate made only for the main server, > > and not suitable for the new specific "staging.*" subdomain.) > > I have seen this problem before, but I am unable to reproduce it now. > If you have reliable steps to reproduce the problem (i.e. steps that > work the second time someone follows them, not just the first time), > please report it as a bug > <https://bugs.launchpad.net/launchpad/+filebug>. Then try with IE7. The certificate is rejected ALWAYS, and the HTTPS URL displays on red in the address bar if you accept to use it, with a warning about it saying that the certificate was not issued for the subdomain, but only for the main domain. You can retry it again and again over all URLs, the certificate remains invalid. Only Mozilla/Firefox seems to accept it, but I think that it is wrong, and should not reuse the certificate for a subdomain, for security reasons (if not convinced, consider detailing the process of validating a certificate and see how domain identity is asserted and verified. The certicifate has been validated only according to the policy of the .net TLD, assuming that the site identity is verified by the .net registry with the info provided by you at the registrar. On the opposite, the subdomain is not authenticated but is created by you only within your own DNS, without the registry being able to verify anything. So if your DNS get hacked, there's no other SOA available to assert that the certificate is valid for the new domain. This is dangerous because you are hosting websites (hosts) for other projects, and at anytime, some malicious hosted project, created for a short time before you discover it, could be used to perform "secured" authentication by reusing your site certificate. This could turn your site into a malicious source of authentication for performing transactions considered "secure", despite the subsite may be malicious and not really authenticated. And you're placing your certificate at risk of being exploited for other unintended use. There exists exploits of such things, used by worms or phishers. My opinion is that this is a severe security bug of Mozilla/Firefox that does not respect the certificate contract.
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)