Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server

Marsh and all,

  Thanks for confirming what I have seen far to often in respect to gmail.com.


-----Original Message-----

From: Marsh Ray <marsh(_at_)extendedsubset(_dot_)com>
Sent: Sep 22, 2010 2:37 PM
To: ArkanoiD <ark(_at_)eltex(_dot_)net>
Cc: IETF discussion list <ietf(_at_)ietf(_dot_)org>, 
secdir(_at_)ietf(_dot_)org, Barry Leiba 
<barryleiba(_dot_)mailing(_dot_)lists(_at_)gmail(_dot_)com>, IETF cert-based 
identity <certid(_at_)ietf(_dot_)org>, tls(_at_)ietf(_dot_)org, Jeffrey 
Hutzelman <jhutz(_at_)cmu(_dot_)edu>
Subject: Re: [TLS] [certid] [secdir] secdir    review  of      
draft-saintandre-tls-server-id-check-09

On 09/22/2010 01:31 PM, ArkanoiD wrote:

BTW, slightly offtopic here: whenever i connect to gmail.com, i get 
certificate
for mail.google.com. But i've yet to see any web browser to complain! Where 
is the magic?


Seems totally relevant to me.

Going to https://gmail.com/ I get some kind of redirection to 
https://www.google.com/accounts/ServiceLogin...

I can confirm the silent redirect behavior on FF, an associate reports 
it on IE9. I tried IE8 but get the expected "cert was issued for a 
different website's address" error.

Hopefully I'm overlooking something simple, but at first glance it would 
seem like either of these two conditions are true:

1. Multiple vendors are putting some kind of override table in their 
browsers with an entry for gmail.com.

2. Browsers are running script from badly authenticated sources.

So what does gmail.com have in this situation that an attacker couldn't 
obtain for phonygmail.com?

- Marsh


marsh(_at_)lamb:/tmp$ dig -t any gmail.com

; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;gmail.com.                    IN      ANY

;; ANSWER SECTION:
gmail.com.             300     IN      A       74.125.227.22
gmail.com.             300     IN      A       74.125.227.21
gmail.com.             300     IN      A       74.125.227.24
gmail.com.             300     IN      A       74.125.227.23
gmail.com.             86400   IN      NS      ns4.google.com.
gmail.com.             86400   IN      NS      ns1.google.com.
gmail.com.             86400   IN      SOA     ns1.google.com. 
dns-admin.google.com. 1427981 
21600 3600 1209600 300
gmail.com.             3600    IN      MX      40 
alt4.gmail-smtp-in.l.google.com.
gmail.com.             3600    IN      MX      5 gmail-smtp-in.l.google.com.
gmail.com.             3600    IN      MX      20 
alt2.gmail-smtp-in.l.google.com.
gmail.com.             300     IN      TXT     "v=spf1 
redirect=_spf.google.com"

;; ADDITIONAL SECTION:
ns4.google.com.                85092   IN      A       216.239.38.10
ns1.google.com.                85092   IN      A       216.239.32.10

;; Query time: 54 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Wed Sep 22 14:26:29 2010
;; MSG SIZE  rcvd: 330



marsh(_at_)lamb:/tmp$ openssl s_client -connect gmail.com:443
...
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
...
---
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Wed, 22 Sep 2010 19:31:43 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: 
PREF=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7; 
expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com
Set-Cookie: 
NID=39=nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i-CvhRU1DrDDYvExygPnpew69GRLaWZeI0;

expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly
Server: gws
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><meta http-equiv="content-type" 
content="text/html; 
charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:{e:"24956,26758",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function(){},kHL:"en",time:function(){return(new

Date).getTime()},log:function(b,d,c){var a=new 
Image,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function(){delete 
g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}};
window.google.sn="webhp";window.google.timers={load:{t:{start:(new 
Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1;
var _gjwl=location;function _gjuc(){var 
e=_gjwl.href.indexOf("#");if(e>=0){var 
a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var

c=0;c<a.length;){var d=c;if(a.charAt(d)=="&")++d;var 
b=a.indexOf("&",d);if(b==-1)b=a.length;var 
f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)+a.substring(b,a.length);b=c}else

if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return 
1}}}return 0}function _gjp(){!(window._gjwl.hash&&
window._gjuc())&&setTimeout(_gjp,500)};
window._gjp && _gjp()</script><style 
id=gstyle>body{margin:0}#gog{padding:3px 8px 
0}td{line-height:.8em}.gac_m 
td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts

td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{width:496px}.tiah{width:458px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c

!important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px 
!important}#gbar{float:left;height:22px}#guser{padding-bottom:7px 
!important;text-align:right}.gbh,.gbd{border-top:1px solid 
#c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px

solid;border-color:#c9d7f1 #36c #36c 
#a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em

.5em}.gb2,.gb3{text-decoration:none;border-bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c

!important}a.gb2:hover{background:#36c;color:#fff 
!important}#gbar{display: none}#gbe{display: 
none}body{background:#fff;color:black}input{-moz-box-sizing:content-box}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl

a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead

a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-box}.ds{border-bottom:solid

1px #e7e7e7;border-right:solid 1px 
#e7e7e7;display:inline-block;margin:3px 0 
4px;margin-left:4px}.sblc{padding-top:5px}.sblc 
a{display:block;margin:2px 
0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid 
1px;border-color:#ccc #999 #999 
#ccc;height:30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png)

bottom;font:15px 
arial,sans-serif;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll

a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v 
.gac_v2,.gac_bt{display:block!important}</style><script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return

false};window.gbar={qs:function(){},tg:function(e){var 
o={id:'gbar'};for(i in 
e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></head><body 
bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 
onload="document.f.q.focus();if(document.images)new 
Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi 
style=display:none></textarea><iframe name=wgjf 
style=display:none></iframe><div id=ghead><div id=gog><div id=guser 
width=100%><nobr><span id=gbn class=gbi></span><span id=gbf 
class=gbf></span><span id=gbe><a 
href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg";

class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en" 
class=gb4>Search settings</a> | <a 
href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/";

class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div 
class=gbh style=right:0></div></div></div> <center><br clear=all 
id=lgpd><div id=lga><img src="images/logos/ssl_logo_lg.gif" width=276 
height=110 border=0><br></div><font size=-1>Go to <a 
href="http://www.google.com/";>classic Google</a>.</font><form 
action="/search" name=f><table cell

_______________________________________________
TLS mailing list
TLS(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/tls


Regards,
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 300k members/stakeholders and growing, 
strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail 
jwkckid1(_at_)ix(_dot_)netcom(_dot_)com
Phone: 214-244-4827

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09