Comment Re:Only as secure as the gate-keeper. (Score 1) 280
This isn't really a browser issue.
The browser is going "Show me that this cert is valid for paypal.com" and the CA is going "Here it is, for paypay.com" , at least as far as the browser is concerned.
This is no more a flaw then if the CA just started letting anyone buy certs for paypal.com.
Having multiple CAs (and cheap CAs) is a good thing, but we're only ever secure with ssl as the least secure CA.
As far as I understand, it's more like:
* Browser gets cert for Paypal.com\0.badguy.com from the server
* Browser reads domain from cert, but does so invalidly, and only gets Paypal.com
* etc