|
Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
2010-09-23 12:34:16
On 09/22/2010 01:31 PM, ArkanoiD wrote:
BTW, slightly offtopic here: whenever i connect to gmail.com, i get certificate
for mail.google.com. But i've yet to see any web browser to complain! Where is
the magic?
Seems totally relevant to me.
Going to https://gmail.com/ I get some kind of redirection to
https://www.google.com/accounts/ServiceLogin...
I can confirm the silent redirect behavior on FF, an associate reports
it on IE9. I tried IE8 but get the expected "cert was issued for a
different website's address" error.
Hopefully I'm overlooking something simple, but at first glance it would
seem like either of these two conditions are true:
1. Multiple vendors are putting some kind of override table in their
browsers with an entry for gmail.com.
2. Browsers are running script from badly authenticated sources.
So what does gmail.com have in this situation that an attacker couldn't
obtain for phonygmail.com?
- Marsh
marsh(_at_)lamb:/tmp$ dig -t any gmail.com
; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;gmail.com. IN ANY
;; ANSWER SECTION:
gmail.com. 300 IN A 74.125.227.22
gmail.com. 300 IN A 74.125.227.21
gmail.com. 300 IN A 74.125.227.24
gmail.com. 300 IN A 74.125.227.23
gmail.com. 86400 IN NS ns4.google.com.
gmail.com. 86400 IN NS ns1.google.com.
gmail.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 1427981
21600 3600 1209600 300
gmail.com. 3600 IN MX 40
alt4.gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 20
alt2.gmail-smtp-in.l.google.com.
gmail.com. 300 IN TXT "v=spf1
redirect=_spf.google.com"
;; ADDITIONAL SECTION:
ns4.google.com. 85092 IN A 216.239.38.10
ns1.google.com. 85092 IN A 216.239.32.10
;; Query time: 54 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Wed Sep 22 14:26:29 2010
;; MSG SIZE rcvd: 330
marsh(_at_)lamb:/tmp$ openssl s_client -connect gmail.com:443
...
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
...
---
GET / HTTP/1.0
HTTP/1.0 200 OK
Date: Wed, 22 Sep 2010 19:31:43 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie:
PREF=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7;
expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com
Set-Cookie:
NID=39=nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i-CvhRU1DrDDYvExygPnpew69GRLaWZeI0;
expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly
Server: gws
X-XSS-Protection: 1; mode=block
<!doctype html><html><head><meta http-equiv="content-type"
content="text/html;
charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:{e:"24956,26758",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function(){},kHL:"en",time:function(){return(new
Date).getTime()},log:function(b,d,c){var a=new
Image,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function(){delete
g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}};
window.google.sn="webhp";window.google.timers={load:{t:{start:(new
Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1;
var _gjwl=location;function _gjuc(){var
e=_gjwl.href.indexOf("#");if(e>=0){var
a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var
c=0;c<a.length;){var d=c;if(a.charAt(d)=="&")++d;var
b=a.indexOf("&",d);if(b==-1)b=a.length;var
f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)+a.substring(b,a.length);b=c}else
if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return
1}}}return 0}function _gjp(){!(window._gjwl.hash&&
window._gjuc())&&setTimeout(_gjp,500)};
window._gjp && _gjp()</script><style
id=gstyle>body{margin:0}#gog{padding:3px 8px
0}td{line-height:.8em}.gac_m
td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts
td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{width:496px}.tiah{width:458px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c
!important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px
!important}#gbar{float:left;height:22px}#guser{padding-bottom:7px
!important;text-align:right}.gbh,.gbd{border-top:1px solid
#c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px
solid;border-color:#c9d7f1 #36c #36c
#a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em
.5em}.gb2,.gb3{text-decoration:none;border-bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c
!important}a.gb2:hover{background:#36c;color:#fff
!important}#gbar{display: none}#gbe{display:
none}body{background:#fff;color:black}input{-moz-box-sizing:content-box}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl
a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead
a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-box}.ds{border-bottom:solid
1px #e7e7e7;border-right:solid 1px
#e7e7e7;display:inline-block;margin:3px 0
4px;margin-left:4px}.sblc{padding-top:5px}.sblc
a{display:block;margin:2px
0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid
1px;border-color:#ccc #999 #999
#ccc;height:30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png)
bottom;font:15px
arial,sans-serif;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll
a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v
.gac_v2,.gac_bt{display:block!important}</style><script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return
false};window.gbar={qs:function(){},tg:function(e){var
o={id:'gbar'};for(i in
e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></head><body
bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000
onload="document.f.q.focus();if(document.images)new
Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi
style=display:none></textarea><iframe name=wgjf
style=display:none></iframe><div id=ghead><div id=gog><div id=guser
width=100%><nobr><span id=gbn class=gbi></span><span id=gbf
class=gbf></span><span id=gbe><a
href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg";
class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en"
class=gb4>Search settings</a> | <a
href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/";
class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div
class=gbh style=right:0></div></div></div> <center><br clear=all
id=lgpd><div id=lga><img src="images/logos/ssl_logo_lg.gif" width=276
height=110 border=0><br></div><font size=-1>Go to <a
href="http://www.google.com/";>classic Google</a>.</font><form
action="/search" name=f><table cell
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
|
|