[HTTPS-E Rulesets] YouTube rule and embedded video
Osama Khalid
osamak at gnu.org
Sun May 8 20:44:44 PDT 2011
On Sun, May 08, 2011 at 04:03:59PM -0700, Seth David Schoen wrote:
> That's fascinating! I should probably talk with someone at YouTube
> or Adobe to find out if this introduces any vulnerability, because
> crossdomain.xml is the cross-domain policy for Adobe Flash Player.
Nice.
Is it possible that it has something to do with the fact that the
certificate covers several domains while the "Common Name" is just
"*.google.com"? Wget couldn't resolve it and showed:
ERROR: certificate common name “*.google.com” doesn’t match
requested host name “www.youtube.com”.
Maybe Flash has a similar bug?
--Osama Khalid
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere-rules/attachments/20110509/ff2e82ac/attachment.sig>
More information about the HTTPS-Everywhere-Rules
mailing list