Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09

Marsh Ray <marsh@extendedsubset.com> Wed, 22 September 2010 19:37 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7DDEB3A69A8; Wed, 22 Sep 2010 12:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.468
X-Spam-Level: ***
X-Spam-Status: No, score=3.468 tagged_above=-999 required=5 tests=[AWL=-5.093, BAYES_50=0.001, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_13=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_45=0.6, J_CHICKENPOX_53=0.6, J_CHICKENPOX_73=0.6, SARE_URI_EQUALS=1.666]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMS6iU9eKXOT; Wed, 22 Sep 2010 12:37:32 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id CA5183A697E; Wed, 22 Sep 2010 12:37:31 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OyV8e-000FOA-LT; Wed, 22 Sep 2010 19:37:57 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 4F2C3601B; Wed, 22 Sep 2010 19:37:54 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/McQjaZjnfhlHi92k0Dhlm/+vqXeVrxMo=
Message-ID: <4C9A5B13.1040802@extendedsubset.com>
Date: Wed, 22 Sep 2010 14:37:55 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: ArkanoiD <ark@eltex.net>
References: <AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com> <4C9A27D0.7030909@stpeter.im> <17472_1285173298_o8MGYvUB005723_AANLkTinAdE0qVxqUEBNe3ZWCry856bresv+x2Ga7Urju@mail.gmail.com> <86E28295D464B450ECA5B1D5@lysithea.fac.cs.cmu.edu> <20100922183143.GA23200@eltex.net>
In-Reply-To: <20100922183143.GA23200@eltex.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 24 Sep 2010 08:05:27 -0700
Cc: IETF discussion list <ietf@ietf.org>, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org
Subject: Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 19:37:33 -0000

On 09/22/2010 01:31 PM, ArkanoiD wrote:
> BTW, slightly offtopic here: whenever i connect to gmail.com, i get certificate
> for mail.google.com. But i've yet to see any web browser to complain! Where is the magic?

Seems totally relevant to me.

Going to https://gmail.com/ I get some kind of redirection to 
https://www.google.com/accounts/ServiceLogin...

I can confirm the silent redirect behavior on FF, an associate reports 
it on IE9. I tried IE8 but get the expected "cert was issued for a 
different website's address" error.

Hopefully I'm overlooking something simple, but at first glance it would 
seem like either of these two conditions are true:

1. Multiple vendors are putting some kind of override table in their 
browsers with an entry for gmail.com.

2. Browsers are running script from badly authenticated sources.

So what does gmail.com have in this situation that an attacker couldn't 
obtain for phonygmail.com?

- Marsh


marsh@lamb:/tmp$ dig -t any gmail.com

; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;gmail.com.			IN	ANY

;; ANSWER SECTION:
gmail.com.		300	IN	A	74.125.227.22
gmail.com.		300	IN	A	74.125.227.21
gmail.com.		300	IN	A	74.125.227.24
gmail.com.		300	IN	A	74.125.227.23
gmail.com.		86400	IN	NS	ns4.google.com.
gmail.com.		86400	IN	NS	ns1.google.com.
gmail.com.		86400	IN	SOA	ns1.google.com. dns-admin.google.com. 1427981 
21600 3600 1209600 300
gmail.com.		3600	IN	MX	40 alt4.gmail-smtp-in.l.google.com.
gmail.com.		3600	IN	MX	5 gmail-smtp-in.l.google.com.
gmail.com.		3600	IN	MX	20 alt2.gmail-smtp-in.l.google.com.
gmail.com.		300	IN	TXT	"v=spf1 redirect=_spf.google.com"

;; ADDITIONAL SECTION:
ns4.google.com.		85092	IN	A	216.239.38.10
ns1.google.com.		85092	IN	A	216.239.32.10

;; Query time: 54 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Wed Sep 22 14:26:29 2010
;; MSG SIZE  rcvd: 330



marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443
...
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
...
---
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Wed, 22 Sep 2010 19:31:43 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: 
PREF=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7; 
expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com
Set-Cookie: 
NID=39=nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i-CvhRU1DrDDYvExygPnpew69GRLaWZeI0; 
expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly
Server: gws
X-XSS-Protection: 1; mode=block

<!doctype html><html><head><meta http-equiv="content-type" 
content="text/html; 
charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:{e:"24956,26758",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function(){},kHL:"en",time:function(){return(new 
Date).getTime()},log:function(b,d,c){var a=new 
Image,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function(){delete 
g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}};
window.google.sn="webhp";window.google.timers={load:{t:{start:(new 
Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1;
var _gjwl=location;function _gjuc(){var 
e=_gjwl.href.indexOf("#");if(e>=0){var 
a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var 
c=0;c<a.length;){var d=c;if(a.charAt(d)=="&")++d;var 
b=a.indexOf("&",d);if(b==-1)b=a.length;var 
f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)+a.substring(b,a.length);b=c}else 
if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return 
1}}}return 0}function _gjp(){!(window._gjwl.hash&&
window._gjuc())&&setTimeout(_gjp,500)};
window._gjp && _gjp()</script><style 
id=gstyle>body{margin:0}#gog{padding:3px 8px 
0}td{line-height:.8em}.gac_m 
td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts 
td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{width:496px}.tiah{width:458px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c 
!important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px 
!important}#gbar{float:left;height:22px}#guser{padding-bottom:7px 
!important;text-align:right}.gbh,.gbd{border-top:1px solid 
#c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px 
solid;border-color:#c9d7f1 #36c #36c 
#a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em 
.5em}.gb2,.gb3{text-decoration:none;border-bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c 
!important}a.gb2:hover{background:#36c;color:#fff 
!important}#gbar{display: none}#gbe{display: 
none}body{background:#fff;color:black}input{-moz-box-sizing:content-box}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl 
a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead 
a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-box}.ds{border-bottom:solid 
1px #e7e7e7;border-right:solid 1px 
#e7e7e7;display:inline-block;margin:3px 0 
4px;margin-left:4px}.sblc{padding-top:5px}.sblc 
a{display:block;margin:2px 
0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid 
1px;border-color:#ccc #999 #999 
#ccc;height:30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png) 
bottom;font:15px 
arial,sans-serif;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll 
a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v 
.gac_v2,.gac_bt{display:block!important}</style><script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return 
false};window.gbar={qs:function(){},tg:function(e){var 
o={id:'gbar'};for(i in 
e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></head><body 
bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 
onload="document.f.q.focus();if(document.images)new 
Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi 
style=display:none></textarea><iframe name=wgjf 
style=display:none></iframe><div id=ghead><div id=gog><div id=guser 
width=100%><nobr><span id=gbn class=gbi></span><span id=gbf 
class=gbf></span><span id=gbe><a 
href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg" 
class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en" 
class=gb4>Search settings</a> | <a 
href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/" 
class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div 
class=gbh style=right:0></div></div></div> <center><br clear=all 
id=lgpd><div id=lga><img src="images/logos/ssl_logo_lg.gif" width=276 
height=110 border=0><br></div><font size=-1>Go to <a 
href="http://www.google.com/">classic Google</a>.</font><form 
action="/search" name=f><table cell