0

I have a domain with a wildcard SSL certificate (i.e. "*.example.com"). I also develop using WAMP setups, which I would like to be able to test HTTPS on.

There are several tutorials on how to setup a self-signed certificate on a WAMP, but since I already have a wildcard certificate for my domain, I thought I might as well use that and save me a bit of time.

Is it save (security-wise) to create a DNS record "localhost.example.com" pointing to 127.0.0.1 (and 0:0:0:0:0:0:0:1 for IPv6) while using a wildcard SSL certificate for *.example.com?

Improve this question

1 Answer 1

Reset to default
2

It is not a good idea to have a public DNS record which points to a non-public IP address. This can be used to circumvent same origin policies by exploiting issues on internal systems. For more details see http://www.securityfocus.com/archive/1/486606, where a vulnerability in CUPS on localhost was exploited this way.

Probably easier and definitly safer would be to just add a local record in the hosts file of your machine. In this case the impact of any such exploit would be restricted to your machine.

Improve this answer
2
  • Not quite the answer I wanted to hear, but all the more the answer I needed to hear. The linked article does state that it's a DNS misconfiguration that is causing the security risk. Is it really only misconfiguration or is it the general principle of non-public IP's that is the problem?
    – Martijn
    Commented Jul 4, 2014 at 10:25
  • The misconfiguration was that non-public (and thus widely used internally) addresses were used on public DNS, e.g. exactly what you proposed but what you did see as a feature and not a misconfiguration.
    – Steffen Ullrich
    Commented Jul 4, 2014 at 10:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .