Peer-trusted certs can use alt names to spoof — Mozilla

Mozilla developer John G. Myers reported a weakness in the trust model used by Mozilla regarding alternate names on self-signed certificates and those with mismatched names that if accepted could be used to spoof a secure connection to any other site. This problem was independently reported by...