Regarding wildcard certs, OWASP says "bad". Thoughts?

After this January I predict the 4.4% figure below will be eclipsed quickly.

Rule - Do Not Use Wildcard Certificates
You should refrain from using wildcard certificates. Though they are expedient at circumventing annoying user prompts, they also violate the principal of least privilege and asks the user to trust all machines, including developer's machines, the secretary's machine in the lobby and the sign-in kiosk. [...]

Statistics gathered by Qualys for Internet SSL Survey 2010 indicate wildcard certificates have a 4.4% share, so the practice is not standard for public facing hosts. Finally, wildcard certificates violate EV Certificate Guidelines.

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Server_Certificate

1 Like

Wildcard certificates have advantages but drawback too. They should be used carefully

They increase the risk of virtual host confusion attacks for example:

But they can make configuration simpler, more robust and prevent disclosure of "private" subdomains.

About the OWASP warning, if the wildcard domain is used only in one machine it doesn't apply. The low usage rate could be explain with the high price of wildcard certificates, and the EV violation is not applicable in Let's Encrypt context

2 Likes

I agree with @tdelmas. Used correctly, wildcard certificates are not inherently risky. One common, but suboptimal, use is to buy one wildcard certificate, and use it across many different services operated by different teams. This can increase exposure of the private key unnecessarily. But overall, they are not a problem.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.