Do you have an opinion on Sandstorm's use of wildcard certificates and randomized hostnames for each application sesssion? [0] They insist that this provides many desirable security features. (Note that the free HTTPS certificates provided by the Sandcats.io service are renewed every week. [1])
I'm the tech lead of Sandstorm, not dijit, but let me see if I can interpret his views relative to Sandstorm.
dijit's complaints seem to focus on the case where a wildcard is shared by many logically separate services, as a convenience vs. getting a separate cert for each. This is probably the most common use of wildcards in practice, and it is indeed bad.
None of dijit's complaints apply to the case where the entire wildcard is really served from a single logical service that needs to generate lots of short-lived hostnames for browser-side sandboxing purposes, which is what Sandstorm is doing. Sandstorm is possibly the only infrastructure in existence which is trying to do this at a scale that legitimately cannot be solved without wildcards.
I think dijit is trying to say that each logical service should have its own certificate that does not overlap with any other service. For this purpose, a Sandstorm server is logically only one service, and as long as no other services serve from the same domain, the properties dijit is worried aobut should be no different from a service with a non-wildcard cert.
dijit's complaints seem to focus on the case where a wildcard is shared by many logically separate services, as a convenience vs. getting a separate cert for each. This is probably the most common use of wildcards in practice, and it is indeed bad.
None of dijit's complaints apply to the case where the entire wildcard is really served from a single logical service that needs to generate lots of short-lived hostnames for browser-side sandboxing purposes, which is what Sandstorm is doing. Sandstorm is possibly the only infrastructure in existence which is trying to do this at a scale that legitimately cannot be solved without wildcards.
I think dijit is trying to say that each logical service should have its own certificate that does not overlap with any other service. For this purpose, a Sandstorm server is logically only one service, and as long as no other services serve from the same domain, the properties dijit is worried aobut should be no different from a service with a non-wildcard cert.