Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

There is no black magic here, only the magic of the TLS server_name extension. If the client provides server_name=gmail.com, the server provides a gmail.com cert, otherwise it defaults to mail.google.com. Your browser is following two secure delegations before it lands at www.google.com (gmail.com -> mail.google.com -> www.google.com). My guess based on the anecdotes in the thread is that IE8 doesn't support it.
(You should also be more careful about your HTTP emulation! "A client MUST include a Host header field in all HTTP/1.1 request messages .") 

In full detail:

rbarnes$ openssl s_client -connect gmail.com:443 -servername gmail.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
[...]

GET / HTTP/1.1
Host: gmail.com

HTTP/1.1 301 Moved Permanently
Location: https://mail.google.com/mail/
[...]
rbarnes$ openssl s_client -connect mail.google.com:443 -servername mail.google.com 
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/ CN=mail.google.com 
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
[...]

GET /mail/ HTTP/1.1
Host: mail.google.com

HTTP/1.1 302 Moved Temporarily
Location: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&ss=1&scc=1&ltmpl=default&ltmplcache=2
[...]

rbarnes$ openssl s_client -connect www.google.com:443 -servername www.google.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
[...]
GET /accounts/ServiceLogin? service=mail&passive=true&rm=false&continue=https%3A%2F %2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy %3Dl&bsv=1eic6yu9oa4y3&ss=1&scc=1&ltmpl=default&ltmplcache=2 HTTP/1.1 
Host: www.google.com

HTTP/1.1 200 OK
[...]








On Sep 22, 2010, at 3:37 PM, Marsh Ray wrote:


On 09/22/2010 01:31 PM, ArkanoiD wrote:
BTW, slightly offtopic here: whenever i connect to gmail.com, i get certificate for mail.google.com. But i've yet to see any web browser to complain! Where is the magic? 

Seems totally relevant to me.
Going to https://gmail.com/ I get some kind of redirection to https://www.google.com/accounts/ServiceLogin ...
I can confirm the silent redirect behavior on FF, an associate reports it on IE9. I tried IE8 but get the expected "cert was issued for a different website's address" error.
Hopefully I'm overlooking something simple, but at first glance it would seem like either of these two conditions are true:
1. Multiple vendors are putting some kind of override table in their browsers with an entry for gmail.com. 

2. Browsers are running script from badly authenticated sources.
So what does gmail.com have in this situation that an attacker couldn't obtain for phonygmail.com? 

- Marsh


marsh@lamb:/tmp$ dig -t any gmail.com

; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;gmail.com.			IN	ANY

;; ANSWER SECTION:
gmail.com.		300	IN	A	74.125.227.22
gmail.com.		300	IN	A	74.125.227.21
gmail.com.		300	IN	A	74.125.227.24
gmail.com.		300	IN	A	74.125.227.23
gmail.com.		86400	IN	NS	ns4.google.com.
gmail.com.		86400	IN	NS	ns1.google.com.
gmail.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 1427981 21600 3600 1209600 300 
gmail.com.		3600	IN	MX	40 alt4.gmail-smtp-in.l.google.com.
gmail.com.		3600	IN	MX	5 gmail-smtp-in.l.google.com.
gmail.com.		3600	IN	MX	20 alt2.gmail-smtp-in.l.google.com.
gmail.com.		300	IN	TXT	"v=spf1 redirect=_spf.google.com"

;; ADDITIONAL SECTION:
ns4.google.com.		85092	IN	A	216.239.38.10
ns1.google.com.		85092	IN	A	216.239.32.10

;; Query time: 54 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Wed Sep 22 14:26:29 2010
;; MSG SIZE  rcvd: 330



marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443
...
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/ CN=mail.google.com 
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
...
---
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Wed, 22 Sep 2010 19:31:43 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF =ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7; expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com Set-Cookie: NID = 39 = nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i -CvhRU1DrDDYvExygPnpew69GRLaWZeI0; expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly 
Server: gws
X-XSS-Protection: 1; mode=block
<!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>Google</ title > < script >window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI: {e :"24956,26758 ",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function() {},kHL:"en",time:function(){return(new Date).getTime()},log:function(b,d,c){var a=new Image ,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function() {delete g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d +"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}}; window.google.sn="webhp";window.google.timers={load:{t:{start:(new Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1; var _gjwl=location;function _gjuc(){var e=_gjwl.href.indexOf("#");if(e>=0){var a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0) {a=a.substring(1);if(a.indexOf("#")==-1){for(var c=0;c<a.length;) {var d=c;if(a.charAt(d)=="&")++d;var b=a.indexOf("&",d);if(b==-1)b=a.length;var f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c) +a.substring(b,a.length);b=c}else if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return 1}}}return 0}function _gjp(){!(window._gjwl.hash&& 
window._gjuc())&&setTimeout(_gjp,500)};
window._gjp && _gjp()</script><style id=gstyle>body{margin: 0}#gog{padding:3px 8px 0}td{line-height:.8em}.gac_m td{line-height: 17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans- serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts td{padding: 0}.ts{border-collapse:collapse}em{font-weight:bold;font- style:normal}.lst{width:496px}.tiah{width:458px}input{font- family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c ! important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding- top:1px !important}#gbar{float:left;height:22px}#guser{padding- bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top: 24px;width:100%}#gbs,.gbm{background:#fff;left: 0;position:absolute;text-align:left;visibility:hidden;z-index: 1000}.gbm{border:1px solid;border-color:#c9d7f1 #36c #36c #a2bae7;z- index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom: 1}.gb2{display:block;padding:.2em .5em}.gb2,.gb3{text- decoration:none;border- bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c ! important}a.gb2:hover{background:#36c;color:#fff ! important}#gbar{display: none}#gbe{display: none}body{background:#fff;color:black}input{-moz-box-sizing:content- box}a{color:#11c;text-decoration:none}a:hover,a:active{text- decoration:underline}.fl a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text- decoration:underline}a.gb3:hover{text-decoration:none}#ghead a.gb2:hover{color:#fff!important}.ds{display:-moz-inline- box}.ds{border-bottom:solid 1px #e7e7e7;border-right:solid 1px #e7e7e7;display:inline-block;margin:3px 0 4px;margin-left: 4px}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin- left:13px;font-size:11px;}.lsbb{background:#eee;border:solid 1px;border-color:#ccc #999 #999 #ccc;height: 30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png) bottom;font:15px arial,sans- serif;border:none;color:#000;cursor:pointer;height:30px;margin: 0;outline:0;vertical- align:top }.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v .gac_v2,.gac_bt{display:block!important}</ style><script>google.y={};google.x=function(e,g) {google.y[e.id]=[e,g];return false};window.gbar={qs:function() {},tg:function(e){var o={id:'gbar'};for(i in e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></ head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onload="document.f.q.focus();if(document.images)new Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi style=display:none></textarea><iframe name=wgjf style=display:none></ iframe><div id=ghead><div id=gog><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe><a href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg " class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en" class=gb4>Search settings</a> | <a href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/ " class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></ div><div class=gbh style=right:0></div></div></div> <center><br clear=all id=lgpd><div id=lga><img src="images/logos/ ssl_logo_lg.gif" width=276 height=110 border=0><br></div><font size=-1>Go to <a href="http://www.google.com/";>classic Google</a>.</ font><form action="/search" name=f><table cell 

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]