Suppose a leaf node creates a certificate for a different domain, acting as a CA.
Do most popular frameworks, or SSL chain validation tools verify the constraints? Are there any I should be concerned with, and remove from my production environment?
Should I be concerned with CA's issuing certificates without basic constraints?
How can I protect my website (as a server operator), and my web browsing session (as a consumer) from certificates generated by leaf nodes, or improperly configured CAs?
Up to a few years ago (something like 2003 or 2004, if I remember correctly), Internet Explorer was not verifying the "Basic Constraints" extension. When this was discovered, Microsoft promptly published a patch.
On a general basis, the "Basic Constraints" extension is properly verified by all existing validators. Internet Explorer was really the worst student in the class on that matter. It is called "basic" for a reason: it is the simplest X.509 extension to handle.
You protect yourself against badly configured CA by ceasing to trust the relevant trust anchors, and sending lawyers to punish such misbehaviour.
Moxie Marlinspike did a lot of SSL research. He presented some of it years ago, among which an overview of browsers ignoring the basic constraints. It seems to have been fixed now in most SSL implementations.
However, http://www.youtube.com/watch?v=ibF36Yyeehw is a very good watch if you want to know more about SSL vulnerabilities :-)
