Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09

"Richard L. Barnes" <rbarnes@bbn.com> Thu, 23 September 2010 18:11 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F23113A6A85; Thu, 23 Sep 2010 11:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.387
X-Spam-Level:
X-Spam-Status: No, score=-97.387 tagged_above=-999 required=5 tests=[AWL=-4.971, BAYES_05=-1.11, FB_WORD2_END_DOLLAR=3.294, HTTP_ESCAPED_HOST=0.134, J_CHICKENPOX_13=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_45=0.6, J_CHICKENPOX_53=0.6, J_CHICKENPOX_73=0.6, SARE_URI_EQUALS=1.666, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A785w47WBaKG; Thu, 23 Sep 2010 11:11:04 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id AA21A3A6943; Thu, 23 Sep 2010 11:11:03 -0700 (PDT)
Received: from [192.1.255.185] (port=58400 helo=col-dhcp-192-1-255-185.bbn.com) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OyqFt-0009h1-5x; Thu, 23 Sep 2010 14:10:49 -0400
Message-Id: <93037048-4609-40F7-BCC0-D635301E4042@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: Marsh Ray <marsh@extendedsubset.com>
In-Reply-To: <4C9A5B13.1040802@extendedsubset.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 23 Sep 2010 14:10:48 -0400
References: <AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com> <4C9A27D0.7030909@stpeter.im> <17472_1285173298_o8MGYvUB005723_AANLkTinAdE0qVxqUEBNe3ZWCry856bresv+x2Ga7Urju@mail.gmail.com> <86E28295D464B450ECA5B1D5@lysithea.fac.cs.cmu.edu> <20100922183143.GA23200@eltex.net> <4C9A5B13.1040802@extendedsubset.com>
X-Mailer: Apple Mail (2.936)
Cc: IETF discussion list <ietf@ietf.org>, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org, ArkanoiD <ark@eltex.net>
Subject: Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Sep 2010 18:11:36 -0000

There is no black magic here, only the magic of the TLS server_name  
extension.  If the client provides server_name=gmail.com, the server  
provides a gmail.com cert, otherwise it defaults to mail.google.com.   
Your browser is following two secure delegations before it lands at www.google.com 
  (gmail.com -> mail.google.com -> www.google.com).  My guess based on  
the anecdotes in the thread is that IE8 doesn't support it.

(You should also be more careful about your HTTP emulation! "A client  
MUST include a Host header field in all HTTP/1.1 request messages .")

In full detail:

rbarnes$ openssl s_client -connect gmail.com:443 -servername gmail.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
[...]

GET / HTTP/1.1
Host: gmail.com

HTTP/1.1 301 Moved Permanently
Location: https://mail.google.com/mail/
[...]

rbarnes$ openssl s_client -connect mail.google.com:443 -servername  
mail.google.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/ 
CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
[...]

GET /mail/ HTTP/1.1
Host: mail.google.com

HTTP/1.1 302 Moved Temporarily
Location: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&ss=1&scc=1&ltmpl=default&ltmplcache=2
[...]

rbarnes$ openssl s_client -connect www.google.com:443 -servername www.google.com
[...]
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
[...]

GET /accounts/ServiceLogin? 
service=mail&passive=true&rm=false&continue=https%3A%2F 
%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy 
%3Dl&bsv=1eic6yu9oa4y3&ss=1&scc=1&ltmpl=default&ltmplcache=2 HTTP/1.1
Host: www.google.com

HTTP/1.1 200 OK
[...]








On Sep 22, 2010, at 3:37 PM, Marsh Ray wrote:

> On 09/22/2010 01:31 PM, ArkanoiD wrote:
>> BTW, slightly offtopic here: whenever i connect to gmail.com, i get  
>> certificate
>> for mail.google.com. But i've yet to see any web browser to  
>> complain! Where is the magic?
>
> Seems totally relevant to me.
>
> Going to https://gmail.com/ I get some kind of redirection to https://www.google.com/accounts/ServiceLogin 
> ...
>
> I can confirm the silent redirect behavior on FF, an associate  
> reports it on IE9. I tried IE8 but get the expected "cert was issued  
> for a different website's address" error.
>
> Hopefully I'm overlooking something simple, but at first glance it  
> would seem like either of these two conditions are true:
>
> 1. Multiple vendors are putting some kind of override table in their  
> browsers with an entry for gmail.com.
>
> 2. Browsers are running script from badly authenticated sources.
>
> So what does gmail.com have in this situation that an attacker  
> couldn't obtain for phonygmail.com?
>
> - Marsh
>
>
> marsh@lamb:/tmp$ dig -t any gmail.com
>
> ; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;gmail.com.			IN	ANY
>
> ;; ANSWER SECTION:
> gmail.com.		300	IN	A	74.125.227.22
> gmail.com.		300	IN	A	74.125.227.21
> gmail.com.		300	IN	A	74.125.227.24
> gmail.com.		300	IN	A	74.125.227.23
> gmail.com.		86400	IN	NS	ns4.google.com.
> gmail.com.		86400	IN	NS	ns1.google.com.
> gmail.com.		86400	IN	SOA	ns1.google.com. dns-admin.google.com.  
> 1427981 21600 3600 1209600 300
> gmail.com.		3600	IN	MX	40 alt4.gmail-smtp-in.l.google.com.
> gmail.com.		3600	IN	MX	5 gmail-smtp-in.l.google.com.
> gmail.com.		3600	IN	MX	20 alt2.gmail-smtp-in.l.google.com.
> gmail.com.		300	IN	TXT	"v=spf1 redirect=_spf.google.com"
>
> ;; ADDITIONAL SECTION:
> ns4.google.com.		85092	IN	A	216.239.38.10
> ns1.google.com.		85092	IN	A	216.239.32.10
>
> ;; Query time: 54 msec
> ;; SERVER: 192.168.1.3#53(192.168.1.3)
> ;; WHEN: Wed Sep 22 14:26:29 2010
> ;; MSG SIZE  rcvd: 330
>
>
>
> marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443
> ...
> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/ 
> CN=mail.google.com
> issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
> ...
> ---
> GET / HTTP/1.0
>
> HTTP/1.0 200 OK
> Date: Wed, 22 Sep 2010 19:31:43 GMT
> Expires: -1
> Cache-Control: private, max-age=0
> Content-Type: text/html; charset=ISO-8859-1
> Set-Cookie:  
> PREF 
> =ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7;  
> expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com
> Set-Cookie:  
> NID 
> = 
> 39 
> = 
> nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i 
> -CvhRU1DrDDYvExygPnpew69GRLaWZeI0; expires=Thu, 24-Mar-2011 19:31:43  
> GMT; path=/; domain=.google.com; HttpOnly
> Server: gws
> X-XSS-Protection: 1; mode=block
>
> <!doctype html><html><head><meta http-equiv="content-type"  
> content="text/html; charset=ISO-8859-1"><title>Google</ 
> title 
> > 
> < 
> script 
> >window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI: 
> {e 
> :"24956,26758 
> ",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function() 
> {},kHL:"en",time:function(){return(new  
> Date).getTime()},log:function(b,d,c){var a=new  
> Image 
> ,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function() 
> {delete g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d 
> +"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}};
> window.google.sn="webhp";window.google.timers={load:{t:{start:(new  
> Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1;
> var _gjwl=location;function _gjuc(){var  
> e=_gjwl.href.indexOf("#");if(e>=0){var  
> a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0) 
> {a=a.substring(1);if(a.indexOf("#")==-1){for(var c=0;c<a.length;) 
> {var d=c;if(a.charAt(d)=="&")++d;var  
> b=a.indexOf("&",d);if(b==-1)b=a.length;var  
> f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c) 
> +a.substring(b,a.length);b=c}else if(f=="cad=h")return  
> 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return 1}}}return 0}function  
> _gjp(){!(window._gjwl.hash&&
> window._gjuc())&&setTimeout(_gjp,500)};
> window._gjp && _gjp()</script><style id=gstyle>body{margin: 
> 0}#gog{padding:3px 8px 0}td{line-height:.8em}.gac_m td{line-height: 
> 17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans- 
> serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts td{padding: 
> 0}.ts{border-collapse:collapse}em{font-weight:bold;font- 
> style:normal}.lst{width:496px}.tiah{width:458px}input{font- 
> family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c ! 
> important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding- 
> top:1px !important}#gbar{float:left;height:22px}#guser{padding- 
> bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px  
> solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top: 
> 24px;width:100%}#gbs,.gbm{background:#fff;left: 
> 0;position:absolute;text-align:left;visibility:hidden;z-index: 
> 1000}.gbm{border:1px solid;border-color:#c9d7f1 #36c #36c #a2bae7;z- 
> index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom: 
> 1}.gb2{display:block;padding:.2em .5em}.gb2,.gb3{text- 
> decoration:none;border- 
> bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c ! 
> important}a.gb2:hover{background:#36c;color:#fff ! 
> important}#gbar{display: none}#gbe{display:  
> none}body{background:#fff;color:black}input{-moz-box-sizing:content- 
> box}a{color:#11c;text-decoration:none}a:hover,a:active{text- 
> decoration:underline}.fl  
> a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text- 
> decoration:underline}a.gb3:hover{text-decoration:none}#ghead  
> a.gb2:hover{color:#fff!important}.ds{display:-moz-inline- 
> box}.ds{border-bottom:solid 1px #e7e7e7;border-right:solid 1px  
> #e7e7e7;display:inline-block;margin:3px 0 4px;margin-left: 
> 4px}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin- 
> left:13px;font-size:11px;}.lsbb{background:#eee;border:solid  
> 1px;border-color:#ccc #999 #999 #ccc;height: 
> 30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png)  
> bottom;font:15px arial,sans- 
> serif;border:none;color:#000;cursor:pointer;height:30px;margin: 
> 0;outline:0;vertical- 
> align:top 
> }.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll  
> a{margin:0 12px}#addlang a{padding:0 3px}.gac_v  
> div{display:none}.gac_v .gac_v2,.gac_bt{display:block!important}</ 
> style><script>google.y={};google.x=function(e,g) 
> {google.y[e.id]=[e,g];return false};window.gbar={qs:function() 
> {},tg:function(e){var o={id:'gbar'};for(i in  
> e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></ 
> head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b  
> alink=#ff0000 onload="document.f.q.focus();if(document.images)new  
> Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi  
> style=display:none></textarea><iframe name=wgjf style=display:none></ 
> iframe><div id=ghead><div id=gog><div id=guser  
> width=100%><nobr><span id=gbn class=gbi></span><span id=gbf  
> class=gbf></span><span id=gbe><a href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg 
> " class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en"  
> class=gb4>Search settings</a> | <a href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/ 
> " class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></ 
> div><div class=gbh style=right:0></div></div></div> <center><br  
> clear=all id=lgpd><div id=lga><img src="images/logos/ 
> ssl_logo_lg.gif" width=276 height=110 border=0><br></div><font  
> size=-1>Go to <a href="http://www.google.com/">classic Google</a>.</ 
> font><form action="/search" name=f><table cell
>
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf