Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09
Marsh Ray <marsh@extendedsubset.com> Wed, 22 September 2010 19:37 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DDEB3A69A8; Wed, 22 Sep 2010 12:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.468
X-Spam-Level: ***
X-Spam-Status: No, score=3.468 tagged_above=-999 required=5 tests=[AWL=-5.093, BAYES_50=0.001, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_13=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_45=0.6, J_CHICKENPOX_53=0.6, J_CHICKENPOX_73=0.6, SARE_URI_EQUALS=1.666]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMS6iU9eKXOT; Wed, 22 Sep 2010 12:37:32 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id CA5183A697E; Wed, 22 Sep 2010 12:37:31 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OyV8e-000FOA-LT; Wed, 22 Sep 2010 19:37:57 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 4F2C3601B; Wed, 22 Sep 2010 19:37:54 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/McQjaZjnfhlHi92k0Dhlm/+vqXeVrxMo=
Message-ID: <4C9A5B13.1040802@extendedsubset.com>
Date: Wed, 22 Sep 2010 14:37:55 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: ArkanoiD <ark@eltex.net>
References: <AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com> <4C9A27D0.7030909@stpeter.im> <17472_1285173298_o8MGYvUB005723_AANLkTinAdE0qVxqUEBNe3ZWCry856bresv+x2Ga7Urju@mail.gmail.com> <86E28295D464B450ECA5B1D5@lysithea.fac.cs.cmu.edu> <20100922183143.GA23200@eltex.net>
In-Reply-To: <20100922183143.GA23200@eltex.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 24 Sep 2010 08:05:27 -0700
Cc: IETF discussion list <ietf@ietf.org>, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org
Subject: Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 19:37:33 -0000
On 09/22/2010 01:31 PM, ArkanoiD wrote: > BTW, slightly offtopic here: whenever i connect to gmail.com, i get certificate > for mail.google.com. But i've yet to see any web browser to complain! Where is the magic? Seems totally relevant to me. Going to https://gmail.com/ I get some kind of redirection to https://www.google.com/accounts/ServiceLogin... I can confirm the silent redirect behavior on FF, an associate reports it on IE9. I tried IE8 but get the expected "cert was issued for a different website's address" error. Hopefully I'm overlooking something simple, but at first glance it would seem like either of these two conditions are true: 1. Multiple vendors are putting some kind of override table in their browsers with an entry for gmail.com. 2. Browsers are running script from badly authenticated sources. So what does gmail.com have in this situation that an attacker couldn't obtain for phonygmail.com? - Marsh marsh@lamb:/tmp$ dig -t any gmail.com ; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2 ;; QUESTION SECTION: ;gmail.com. IN ANY ;; ANSWER SECTION: gmail.com. 300 IN A 74.125.227.22 gmail.com. 300 IN A 74.125.227.21 gmail.com. 300 IN A 74.125.227.24 gmail.com. 300 IN A 74.125.227.23 gmail.com. 86400 IN NS ns4.google.com. gmail.com. 86400 IN NS ns1.google.com. gmail.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 1427981 21600 3600 1209600 300 gmail.com. 3600 IN MX 40 alt4.gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 20 alt2.gmail-smtp-in.l.google.com. gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com" ;; ADDITIONAL SECTION: ns4.google.com. 85092 IN A 216.239.38.10 ns1.google.com. 85092 IN A 216.239.32.10 ;; Query time: 54 msec ;; SERVER: 192.168.1.3#53(192.168.1.3) ;; WHEN: Wed Sep 22 14:26:29 2010 ;; MSG SIZE rcvd: 330 marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443 ... subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA ... --- GET / HTTP/1.0 HTTP/1.0 200 OK Date: Wed, 22 Sep 2010 19:31:43 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: PREF=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7; expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com Set-Cookie: NID=39=nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i-CvhRU1DrDDYvExygPnpew69GRLaWZeI0; expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly Server: gws X-XSS-Protection: 1; mode=block <!doctype html><html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:{e:"24956,26758",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function(){},kHL:"en",time:function(){return(new Date).getTime()},log:function(b,d,c){var a=new Image,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function(){delete g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}}; window.google.sn="webhp";window.google.timers={load:{t:{start:(new Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1; var _gjwl=location;function _gjuc(){var e=_gjwl.href.indexOf("#");if(e>=0){var a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var c=0;c<a.length;){var d=c;if(a.charAt(d)=="&")++d;var b=a.indexOf("&",d);if(b==-1)b=a.length;var f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)+a.substring(b,a.length);b=c}else if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return 1}}}return 0}function _gjp(){!(window._gjwl.hash&& window._gjuc())&&setTimeout(_gjp,500)}; window._gjp && _gjp()</script><style id=gstyle>body{margin:0}#gog{padding:3px 8px 0}td{line-height:.8em}.gac_m td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{width:496px}.tiah{width:458px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c !important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px !important}#gbar{float:left;height:22px}#guser{padding-bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px solid;border-color:#c9d7f1 #36c #36c #a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em .5em}.gb2,.gb3{text-decoration:none;border-bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c !important}a.gb2:hover{background:#36c;color:#fff !important}#gbar{display: none}#gbe{display: none}body{background:#fff;color:black}input{-moz-box-sizing:content-box}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-box}.ds{border-bottom:solid 1px #e7e7e7;border-right:solid 1px #e7e7e7;display:inline-block;margin:3px 0 4px;margin-left:4px}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid 1px;border-color:#ccc #999 #999 #ccc;height:30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png) bottom;font:15px arial,sans-serif;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v .gac_v2,.gac_bt{display:block!important}</style><script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return false};window.gbar={qs:function(){},tg:function(e){var o={id:'gbar'};for(i in e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onload="document.f.q.focus();if(document.images)new Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi style=display:none></textarea><iframe name=wgjf style=display:none></iframe><div id=ghead><div id=gog><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe><a href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg" class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en" class=gb4>Search settings</a> | <a href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div></div> <center><br clear=all id=lgpd><div id=lga><img src="images/logos/ssl_logo_lg.gif" width=276 height=110 border=0><br></div><font size=-1>Go to <a href="http://www.google.com/">classic Google</a>.</font><form action="/search" name=f><table cell
- Re: [secdir] [TLS] secdir review of draft-saintan… =JeffH
- [secdir] secdir review of draft-saintandre-tls-se… Barry Leiba
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-saintandre-tl… Barry Leiba
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-saintandre-tl… Jeffrey Hutzelman
- Re: [secdir] [TLS] [certid] secdir review of draf… Richard L. Barnes
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] secdir review of draft-saintandre-tl… Peter Saint-Andre
- Re: [secdir] [certid] secdir review of draft-sain… ArkanoiD
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] [certid] secdir review of draf… Jeffrey A. Williams
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] [certid] secdir review of draf… Marsh Ray
- Re: [secdir] [TLS] secdir review of Martin Rex
- Re: [secdir] [TLS] secdir review of Robert Relyea
- Re: [secdir] [TLS] secdir review of Nicolas Williams