Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09

"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Wed, 22 September 2010 19:42 UTC

Return-Path: <jwkckid1@ix.netcom.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D89D83A685B; Wed, 22 Sep 2010 12:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.56
X-Spam-Level: ***
X-Spam-Status: No, score=3.56 tagged_above=-999 required=5 tests=[AWL=-4.401, BAYES_50=0.001, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_13=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_45=0.6, J_CHICKENPOX_53=0.6, SARE_URI_EQUALS=1.666]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYA6RkyatneU; Wed, 22 Sep 2010 12:42:39 -0700 (PDT)
Received: from elasmtp-scoter.atl.sa.earthlink.net (elasmtp-scoter.atl.sa.earthlink.net [209.86.89.67]) by core3.amsl.com (Postfix) with ESMTP id 075393A6B41; Wed, 22 Sep 2010 12:42:39 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=mRjYM1wYA7MobX4v6rYGypyk4Zaeg2A5fscVcTwbPKUfyOK9emxCOu44dYnFq6E5; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.24] (helo=mswamui-andean.atl.sa.earthlink.net) by elasmtp-scoter.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1OyVDd-00018h-Fk; Wed, 22 Sep 2010 15:43:05 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Wed, 22 Sep 2010 15:43:05 -0400
Message-ID: <20847695.1285184585494.JavaMail.root@mswamui-andean.atl.sa.earthlink.net>
Date: Wed, 22 Sep 2010 14:43:05 -0500 (GMT-05:00)
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: Marsh Ray <marsh@extendedsubset.com>, ArkanoiD <ark@eltex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688b06bb0baee4cfae0c770b9a8809f9c8b350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.24
X-Mailman-Approved-At: Fri, 24 Sep 2010 08:05:27 -0700
Cc: IETF discussion list <ietf@ietf.org>, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org
Subject: Re: [secdir] [TLS] [certid] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 19:42:41 -0000

Marsh and all,

  Thanks for confirming what I have seen far to often in respect to gmail.com.


-----Original Message-----
>From: Marsh Ray <marsh@extendedsubset.com>;
>Sent: Sep 22, 2010 2:37 PM
>To: ArkanoiD <ark@eltex.net>;
>Cc: IETF discussion list <ietf@ietf.org>;, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>;, IETF cert-based identity <certid@ietf.org>;, tls@ietf.org, Jeffrey Hutzelman <jhutz@cmu.edu>;
>Subject: Re: [TLS] [certid] [secdir] secdir	review	of	draft-saintandre-tls-server-id-check-09
>
>On 09/22/2010 01:31 PM, ArkanoiD wrote:
>> BTW, slightly offtopic here: whenever i connect to gmail.com, i get certificate
>> for mail.google.com. But i've yet to see any web browser to complain! Where is the magic?
>
>Seems totally relevant to me.
>
>Going to https://gmail.com/ I get some kind of redirection to 
>https://www.google.com/accounts/ServiceLogin...
>
>I can confirm the silent redirect behavior on FF, an associate reports 
>it on IE9. I tried IE8 but get the expected "cert was issued for a 
>different website's address" error.
>
>Hopefully I'm overlooking something simple, but at first glance it would 
>seem like either of these two conditions are true:
>
>1. Multiple vendors are putting some kind of override table in their 
>browsers with an entry for gmail.com.
>
>2. Browsers are running script from badly authenticated sources.
>
>So what does gmail.com have in this situation that an attacker couldn't 
>obtain for phonygmail.com?
>
>- Marsh
>
>
>marsh@lamb:/tmp$ dig -t any gmail.com
>
>; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com
>;; global options: +cmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091
>;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2
>
>;; QUESTION SECTION:
>;gmail.com.			IN	ANY
>
>;; ANSWER SECTION:
>gmail.com.		300	IN	A	74.125.227.22
>gmail.com.		300	IN	A	74.125.227.21
>gmail.com.		300	IN	A	74.125.227.24
>gmail.com.		300	IN	A	74.125.227.23
>gmail.com.		86400	IN	NS	ns4.google.com.
>gmail.com.		86400	IN	NS	ns1.google.com.
>gmail.com.		86400	IN	SOA	ns1.google.com. dns-admin.google.com. 1427981 
>21600 3600 1209600 300
>gmail.com.		3600	IN	MX	40 alt4.gmail-smtp-in.l.google.com.
>gmail.com.		3600	IN	MX	5 gmail-smtp-in.l.google.com.
>gmail.com.		3600	IN	MX	20 alt2.gmail-smtp-in.l.google.com.
>gmail.com.		300	IN	TXT	"v=spf1 redirect=_spf.google.com"
>
>;; ADDITIONAL SECTION:
>ns4.google.com.		85092	IN	A	216.239.38.10
>ns1.google.com.		85092	IN	A	216.239.32.10
>
>;; Query time: 54 msec
>;; SERVER: 192.168.1.3#53(192.168.1.3)
>;; WHEN: Wed Sep 22 14:26:29 2010
>;; MSG SIZE  rcvd: 330
>
>
>
>marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443
>...
>subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
>issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
>...
>---
>GET / HTTP/1.0
>
>HTTP/1.0 200 OK
>Date: Wed, 22 Sep 2010 19:31:43 GMT
>Expires: -1
>Cache-Control: private, max-age=0
>Content-Type: text/html; charset=ISO-8859-1
>Set-Cookie: 
>PREF=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7; 
>expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com
>Set-Cookie: 
>NID=39=nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i-CvhRU1DrDDYvExygPnpew69GRLaWZeI0; 
>expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly
>Server: gws
>X-XSS-Protection: 1; mode=block
>
><!doctype html><html><head><meta http-equiv="content-type" 
>content="text/html; 
>charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:{e:"24956,26758",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function(){},kHL:"en",time:function(){return(new 
>Date).getTime()},log:function(b,d,c){var a=new 
>Image,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function(){delete 
>g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}};
>window.google.sn="webhp";window.google.timers={load:{t:{start:(new 
>Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1;
>var _gjwl=location;function _gjuc(){var 
>e=_gjwl.href.indexOf("#");if(e>=0){var 
>a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var 
>c=0;c<a.length;){var d=c;if(a.charAt(d)=="&")++d;var 
>b=a.indexOf("&",d);if(b==-1)b=a.length;var 
>f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)+a.substring(b,a.length);b=c}else 
>if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return 
>1}}}return 0}function _gjp(){!(window._gjwl.hash&&
>window._gjuc())&&setTimeout(_gjp,500)};
>window._gjp && _gjp()</script><style 
>id=gstyle>body{margin:0}#gog{padding:3px 8px 
>0}td{line-height:.8em}.gac_m 
>td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts 
>td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{width:496px}.tiah{width:458px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c 
>!important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px 
>!important}#gbar{float:left;height:22px}#guser{padding-bottom:7px 
>!important;text-align:right}.gbh,.gbd{border-top:1px solid 
>#c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px 
>solid;border-color:#c9d7f1 #36c #36c 
>#a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em 
>.5em}.gb2,.gb3{text-decoration:none;border-bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c 
>!important}a.gb2:hover{background:#36c;color:#fff 
>!important}#gbar{display: none}#gbe{display: 
>none}body{background:#fff;color:black}input{-moz-box-sizing:content-box}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl 
>a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead 
>a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-box}.ds{border-bottom:solid 
>1px #e7e7e7;border-right:solid 1px 
>#e7e7e7;display:inline-block;margin:3px 0 
>4px;margin-left:4px}.sblc{padding-top:5px}.sblc 
>a{display:block;margin:2px 
>0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid 
>1px;border-color:#ccc #999 #999 
>#ccc;height:30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png) 
>bottom;font:15px 
>arial,sans-serif;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll 
>a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v 
>.gac_v2,.gac_bt{display:block!important}</style><script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return 
>false};window.gbar={qs:function(){},tg:function(e){var 
>o={id:'gbar'};for(i in 
>e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></head><body 
>bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 
>onload="document.f.q.focus();if(document.images)new 
>Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi 
>style=display:none></textarea><iframe name=wgjf 
>style=display:none></iframe><div id=ghead><div id=gog><div id=guser 
>width=100%><nobr><span id=gbn class=gbi></span><span id=gbf 
>class=gbf></span><span id=gbe><a 
>href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg" 
>class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en" 
>class=gb4>Search settings</a> | <a 
>href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/" 
>class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div 
>class=gbh style=right:0></div></div></div> <center><br clear=all 
>id=lgpd><div id=lga><img src="images/logos/ssl_logo_lg.gif" width=276 
>height=110 border=0><br></div><font size=-1>Go to <a 
>href="http://www.google.com/">classic Google</a>.</font><form 
>action="/search" name=f><table cell
>
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls

Regards,
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 300k members/stakeholders and growing, strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com
Phone: 214-244-4827