Marsh and all, Thanks for confirming what I have seen far to often in respect to gmail.com. -----Original Message----- >From: Marsh Ray <marsh@xxxxxxxxxxxxxxxxxx> >Sent: Sep 22, 2010 2:37 PM >To: ArkanoiD <ark@xxxxxxxxx> >Cc: IETF discussion list <ietf@xxxxxxxx>, secdir@xxxxxxxx, Barry Leiba <barryleiba.mailing.lists@xxxxxxxxx>, IETF cert-based identity <certid@xxxxxxxx>, tls@xxxxxxxx, Jeffrey Hutzelman <jhutz@xxxxxxx> >Subject: Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09 > >On 09/22/2010 01:31 PM, ArkanoiD wrote: >> BTW, slightly offtopic here: whenever i connect to gmail.com, i get certificate >> for mail.google.com. But i've yet to see any web browser to complain! Where is the magic? > >Seems totally relevant to me. > >Going to https://gmail.com/ I get some kind of redirection to >https://www.google.com/accounts/ServiceLogin... > >I can confirm the silent redirect behavior on FF, an associate reports >it on IE9. I tried IE8 but get the expected "cert was issued for a >different website's address" error. > >Hopefully I'm overlooking something simple, but at first glance it would >seem like either of these two conditions are true: > >1. Multiple vendors are putting some kind of override table in their >browsers with an entry for gmail.com. > >2. Browsers are running script from badly authenticated sources. > >So what does gmail.com have in this situation that an attacker couldn't >obtain for phonygmail.com? > >- Marsh > > >marsh@lamb:/tmp$ dig -t any gmail.com > >; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091 >;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2 > >;; QUESTION SECTION: >;gmail.com. IN ANY > >;; ANSWER SECTION: >gmail.com. 300 IN A 74.125.227.22 >gmail.com. 300 IN A 74.125.227.21 >gmail.com. 300 IN A 74.125.227.24 >gmail.com. 300 IN A 74.125.227.23 >gmail.com. 86400 IN NS ns4.google.com. >gmail.com. 86400 IN NS ns1.google.com. >gmail.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 1427981 >21600 3600 1209600 300 >gmail.com. 3600 IN MX 40 alt4.gmail-smtp-in.l.google.com. >gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com. >gmail.com. 3600 IN MX 20 alt2.gmail-smtp-in.l.google.com. >gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com" > >;; ADDITIONAL SECTION: >ns4.google.com. 85092 IN A 216.239.38.10 >ns1.google.com. 85092 IN A 216.239.32.10 > >;; Query time: 54 msec >;; SERVER: 192.168.1.3#53(192.168.1.3) >;; WHEN: Wed Sep 22 14:26:29 2010 >;; MSG SIZE rcvd: 330 > > > >marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443 >... >subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com >issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA >... >--- >GET / HTTP/1.0 > >HTTP/1.0 200 OK >Date: Wed, 22 Sep 2010 19:31:43 GMT >Expires: -1 >Cache-Control: private, max-age=0 >Content-Type: text/html; charset=ISO-8859-1 >Set-Cookie: >PREF=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7; >expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com >Set-Cookie: >NID=39=nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i-CvhRU1DrDDYvExygPnpew69GRLaWZeI0; >expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly >Server: gws >X-XSS-Protection: 1; mode=block > ><!doctype html><html><head><meta http-equiv="content-type" >content="text/html; >charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:{e:"24956,26758",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function(){},kHL:"en",time:function(){return(new >Date).getTime()},log:function(b,d,c){var a=new >Image,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function(){delete >g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}}; >window.google.sn="webhp";window.google.timers={load:{t:{start:(new >Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1; >var _gjwl=location;function _gjuc(){var >e=_gjwl.href.indexOf("#");if(e>=0){var >a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var >c=0;c<a.length;){var d=c;if(a.charAt(d)=="&")++d;var >b=a.indexOf("&",d);if(b==-1)b=a.length;var >f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)+a.substring(b,a.length);b=c}else >if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return >1}}}return 0}function _gjp(){!(window._gjwl.hash&& >window._gjuc())&&setTimeout(_gjp,500)}; >window._gjp && _gjp()</script><style >id=gstyle>body{margin:0}#gog{padding:3px 8px >0}td{line-height:.8em}.gac_m >td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts >td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{width:496px}.tiah{width:458px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c >!important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px >!important}#gbar{float:left;height:22px}#guser{padding-bottom:7px >!important;text-align:right}.gbh,.gbd{border-top:1px solid >#c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px >solid;border-color:#c9d7f1 #36c #36c >#a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em >.5em}.gb2,.gb3{text-decoration:none;border-bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c >!important}a.gb2:hover{background:#36c;color:#fff >!important}#gbar{display: none}#gbe{display: >none}body{background:#fff;color:black}input{-moz-box-sizing:content-box}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl >a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead >a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-box}.ds{border-bottom:solid >1px #e7e7e7;border-right:solid 1px >#e7e7e7;display:inline-block;margin:3px 0 >4px;margin-left:4px}.sblc{padding-top:5px}.sblc >a{display:block;margin:2px >0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid >1px;border-color:#ccc #999 #999 >#ccc;height:30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png) >bottom;font:15px >arial,sans-serif;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll >a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v >.gac_v2,.gac_bt{display:block!important}</style><script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return >false};window.gbar={qs:function(){},tg:function(e){var >o={id:'gbar'};for(i in >e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></head><body >bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 >onload="document.f.q.focus();if(document.images)new >Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi >style=display:none></textarea><iframe name=wgjf >style=display:none></iframe><div id=ghead><div id=gog><div id=guser >width=100%><nobr><span id=gbn class=gbi></span><span id=gbf >class=gbf></span><span id=gbe><a >href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg"; >class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en" >class=gb4>Search settings</a> | <a >href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/"; >class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div >class=gbh style=right:0></div></div></div> <center><br clear=all >id=lgpd><div id=lga><img src="images/logos/ssl_logo_lg.gif" width=276 >height=110 border=0><br></div><font size=-1>Go to <a >href="http://www.google.com/";>classic Google</a>.</font><form >action="/search" name=f><table cell > >_______________________________________________ >TLS mailing list >TLS@xxxxxxxx >https://www.ietf.org/mailman/listinfo/tls Regards, Jeffrey A. Williams Spokesman for INEGroup LLA. - (Over 300k members/stakeholders and growing, strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx Phone: 214-244-4827 _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf