|
Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
2010-09-23 13:13:05
There is no black magic here, only the magic of the TLS server_name
extension. If the client provides server_name=gmail.com, the server
provides a gmail.com cert, otherwise it defaults to mail.google.com.
Your browser is following two secure delegations before it lands at www.google.com
(gmail.com -> mail.google.com -> www.google.com). My guess based on
the anecdotes in the thread is that IE8 doesn't support it.
(You should also be more careful about your HTTP emulation! "A client
MUST include a Host header field in all HTTP/1.1 request messages .")
In full detail:
rbarnes$ openssl s_client -connect gmail.com:443 -servername gmail.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
[...]
GET / HTTP/1.1
Host: gmail.com
HTTP/1.1 301 Moved Permanently
Location: https://mail.google.com/mail/
[...]
rbarnes$ openssl s_client -connect mail.google.com:443 -servername
mail.google.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
[...]
GET /mail/ HTTP/1.1
Host: mail.google.com
HTTP/1.1 302 Moved Temporarily
Location:
https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&ss=1&scc=1<mpl=default<mplcache=2
[...]
rbarnes$ openssl s_client -connect www.google.com:443 -servername www.google.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
[...]
GET /accounts/ServiceLogin?
service=mail&passive=true&rm=false&continue=https%3A%2F
%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy
%3Dl&bsv=1eic6yu9oa4y3&ss=1&scc=1<mpl=default<mplcache=2 HTTP/1.1
Host: www.google.com
HTTP/1.1 200 OK
[...]
On Sep 22, 2010, at 3:37 PM, Marsh Ray wrote:
On 09/22/2010 01:31 PM, ArkanoiD wrote:
BTW, slightly offtopic here: whenever i connect to gmail.com, i get
certificate
for mail.google.com. But i've yet to see any web browser to
complain! Where is the magic?
Seems totally relevant to me.
Going to https://gmail.com/ I get some kind of redirection to https://www.google.com/accounts/ServiceLogin
...
I can confirm the silent redirect behavior on FF, an associate
reports it on IE9. I tried IE8 but get the expected "cert was issued
for a different website's address" error.
Hopefully I'm overlooking something simple, but at first glance it
would seem like either of these two conditions are true:
1. Multiple vendors are putting some kind of override table in their
browsers with an entry for gmail.com.
2. Browsers are running script from badly authenticated sources.
So what does gmail.com have in this situation that an attacker
couldn't obtain for phonygmail.com?
- Marsh
marsh(_at_)lamb:/tmp$ dig -t any gmail.com
; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;gmail.com. IN ANY
;; ANSWER SECTION:
gmail.com. 300 IN A 74.125.227.22
gmail.com. 300 IN A 74.125.227.21
gmail.com. 300 IN A 74.125.227.24
gmail.com. 300 IN A 74.125.227.23
gmail.com. 86400 IN NS ns4.google.com.
gmail.com. 86400 IN NS ns1.google.com.
gmail.com. 86400 IN SOA ns1.google.com. dns-admin.google.com.
1427981 21600 3600 1209600 300
gmail.com. 3600 IN MX 40
alt4.gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 20
alt2.gmail-smtp-in.l.google.com.
gmail.com. 300 IN TXT "v=spf1
redirect=_spf.google.com"
;; ADDITIONAL SECTION:
ns4.google.com. 85092 IN A 216.239.38.10
ns1.google.com. 85092 IN A 216.239.32.10
;; Query time: 54 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Wed Sep 22 14:26:29 2010
;; MSG SIZE rcvd: 330
marsh(_at_)lamb:/tmp$ openssl s_client -connect gmail.com:443
...
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
...
---
GET / HTTP/1.0
HTTP/1.0 200 OK
Date: Wed, 22 Sep 2010 19:31:43 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie:
PREF
=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7;
expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com
Set-Cookie:
NID
=
39
=
nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i
-CvhRU1DrDDYvExygPnpew69GRLaWZeI0; expires=Thu, 24-Mar-2011 19:31:43
GMT; path=/; domain=.google.com; HttpOnly
Server: gws
X-XSS-Protection: 1; mode=block
<!doctype html><html><head><meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"><title>Google</
title
>
<
script
>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:
{e
:"24956,26758
",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function()
{},kHL:"en",time:function(){return(new
Date).getTime()},log:function(b,d,c){var a=new
Image
,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function()
{delete g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d
+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}};
window.google.sn="webhp";window.google.timers={load:{t:{start:(new
Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1;
var _gjwl=location;function _gjuc(){var
e=_gjwl.href.indexOf("#");if(e>=0){var
a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0)
{a=a.substring(1);if(a.indexOf("#")==-1){for(var c=0;c<a.length;)
{var d=c;if(a.charAt(d)=="&")++d;var
b=a.indexOf("&",d);if(b==-1)b=a.length;var
f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)
+a.substring(b,a.length);b=c}else if(f=="cad=h")return
0;c=b}_gjwl.href="/search?"+a+"&cad=h";return 1}}}return 0}function
_gjp(){!(window._gjwl.hash&&
window._gjuc())&&setTimeout(_gjp,500)};
window._gjp && _gjp()</script><style id=gstyle>body{margin:
0}#gog{padding:3px 8px 0}td{line-height:.8em}.gac_m td{line-height:
17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-
serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts td{padding:
0}.ts{border-collapse:collapse}em{font-weight:bold;font-
style:normal}.lst{width:496px}.tiah{width:458px}input{font-
family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c !
important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-
top:1px !important}#gbar{float:left;height:22px}#guser{padding-
bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px
solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:
24px;width:100%}#gbs,.gbm{background:#fff;left:
0;position:absolute;text-align:left;visibility:hidden;z-index:
1000}.gbm{border:1px solid;border-color:#c9d7f1 #36c #36c #a2bae7;z-
index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:
1}.gb2{display:block;padding:.2em .5em}.gb2,.gb3{text-
decoration:none;border-
bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c !
important}a.gb2:hover{background:#36c;color:#fff !
important}#gbar{display: none}#gbe{display:
none}body{background:#fff;color:black}input{-moz-box-sizing:content-
box}a{color:#11c;text-decoration:none}a:hover,a:active{text-
decoration:underline}.fl
a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-
decoration:underline}a.gb3:hover{text-decoration:none}#ghead
a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-
box}.ds{border-bottom:solid 1px #e7e7e7;border-right:solid 1px
#e7e7e7;display:inline-block;margin:3px 0 4px;margin-left:
4px}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-
left:13px;font-size:11px;}.lsbb{background:#eee;border:solid
1px;border-color:#ccc #999 #999 #ccc;height:
30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png)
bottom;font:15px arial,sans-
serif;border:none;color:#000;cursor:pointer;height:30px;margin:
0;outline:0;vertical-
align:top
}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll
a{margin:0 12px}#addlang a{padding:0 3px}.gac_v
div{display:none}.gac_v .gac_v2,.gac_bt{display:block!important}</
style><script>google.y={};google.x=function(e,g)
{google.y[e.id]=[e,g];return false};window.gbar={qs:function()
{},tg:function(e){var o={id:'gbar'};for(i in
e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></
head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b
alink=#ff0000 onload="document.f.q.focus();if(document.images)new
Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi
style=display:none></textarea><iframe name=wgjf style=display:none></
iframe><div id=ghead><div id=gog><div id=guser
width=100%><nobr><span id=gbn class=gbi></span><span id=gbf
class=gbf></span><span id=gbe><a href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg
" class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en"
class=gb4>Search settings</a> | <a href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/
" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></
div><div class=gbh style=right:0></div></div></div> <center><br
clear=all id=lgpd><div id=lga><img src="images/logos/
ssl_logo_lg.gif" width=276 height=110 border=0><br></div><font
size=-1>Go to <a href="http://www.google.com/";>classic Google</a>.</
font><form action="/search" name=f><table cell
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
|
|