• 5redie8@sh.itjust.works
    link
    fedilink
    arrow-up
    4
    ·
    4 months ago

    They used a wildcard SSL for all of their clients to transact all information.

    glances at my home server setup nervously

    • foggy@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      4 months ago

      Lol you can totally do it in a home server application. It’s even okay if I’m a e-commerce store to use wildcard for example.com and shop.example.com. not a best practice, but not idiotic.

      Not idiotic unless you also have a hq.example.com that forwards a port into your internal network…

      …where ftp://hq.example.com takes you to an insecure password shield, and behind it is the SSL certificate, just chillin for anyone to snag and use as a key to deobfuscate all that SSL traffic, going across your network, your shop, your whole domain.