Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Wed, 22 September 2010 19:42 UTC
Return-Path: <jwkckid1@ix.netcom.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D89D83A685B; Wed, 22 Sep 2010 12:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.56
X-Spam-Level: ***
X-Spam-Status: No, score=3.56 tagged_above=-999 required=5 tests=[AWL=-4.401, BAYES_50=0.001, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_13=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_25=0.6, J_CHICKENPOX_45=0.6, J_CHICKENPOX_53=0.6, SARE_URI_EQUALS=1.666]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYA6RkyatneU; Wed, 22 Sep 2010 12:42:39 -0700 (PDT)
Received: from elasmtp-scoter.atl.sa.earthlink.net (elasmtp-scoter.atl.sa.earthlink.net [209.86.89.67]) by core3.amsl.com (Postfix) with ESMTP id 075393A6B41; Wed, 22 Sep 2010 12:42:39 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=mRjYM1wYA7MobX4v6rYGypyk4Zaeg2A5fscVcTwbPKUfyOK9emxCOu44dYnFq6E5; h=Message-ID:Date:From:Reply-To:To:Subject:Cc:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.24] (helo=mswamui-andean.atl.sa.earthlink.net) by elasmtp-scoter.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <jwkckid1@ix.netcom.com>) id 1OyVDd-00018h-Fk; Wed, 22 Sep 2010 15:43:05 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP; Wed, 22 Sep 2010 15:43:05 -0400
Message-ID: <20847695.1285184585494.JavaMail.root@mswamui-andean.atl.sa.earthlink.net>
Date: Wed, 22 Sep 2010 14:43:05 -0500
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: Marsh Ray <marsh@extendedsubset.com>, ArkanoiD <ark@eltex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e51960688b06bb0baee4cfae0c770b9a8809f9c8b350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.24
Cc: IETF discussion list <ietf@ietf.org>, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 19:42:41 -0000
Marsh and all, Thanks for confirming what I have seen far to often in respect to gmail.com. -----Original Message----- >From: Marsh Ray <marsh@extendedsubset.com> >Sent: Sep 22, 2010 2:37 PM >To: ArkanoiD <ark@eltex.net> >Cc: IETF discussion list <ietf@ietf.org>, secdir@ietf.org, Barry Leiba <barryleiba.mailing.lists@gmail.com>, IETF cert-based identity <certid@ietf.org>, tls@ietf.org, Jeffrey Hutzelman <jhutz@cmu.edu> >Subject: Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09 > >On 09/22/2010 01:31 PM, ArkanoiD wrote: >> BTW, slightly offtopic here: whenever i connect to gmail.com, i get certificate >> for mail.google.com. But i've yet to see any web browser to complain! Where is the magic? > >Seems totally relevant to me. > >Going to https://gmail.com/ I get some kind of redirection to >https://www.google.com/accounts/ServiceLogin... > >I can confirm the silent redirect behavior on FF, an associate reports >it on IE9. I tried IE8 but get the expected "cert was issued for a >different website's address" error. > >Hopefully I'm overlooking something simple, but at first glance it would >seem like either of these two conditions are true: > >1. Multiple vendors are putting some kind of override table in their >browsers with an entry for gmail.com. > >2. Browsers are running script from badly authenticated sources. > >So what does gmail.com have in this situation that an attacker couldn't >obtain for phonygmail.com? > >- Marsh > > >marsh@lamb:/tmp$ dig -t any gmail.com > >; <<>> DiG 9.7.0-P1 <<>> -t any gmail.com >;; global options: +cmd >;; Got answer: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44091 >;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 2 > >;; QUESTION SECTION: >;gmail.com. IN ANY > >;; ANSWER SECTION: >gmail.com. 300 IN A 74.125.227.22 >gmail.com. 300 IN A 74.125.227.21 >gmail.com. 300 IN A 74.125.227.24 >gmail.com. 300 IN A 74.125.227.23 >gmail.com. 86400 IN NS ns4.google.com. >gmail.com. 86400 IN NS ns1.google.com. >gmail.com. 86400 IN SOA ns1.google.com. dns-admin.google.com. 1427981 >21600 3600 1209600 300 >gmail.com. 3600 IN MX 40 alt4.gmail-smtp-in.l.google.com. >gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com. >gmail.com. 3600 IN MX 20 alt2.gmail-smtp-in.l.google.com. >gmail.com. 300 IN TXT "v=spf1 redirect=_spf.google.com" > >;; ADDITIONAL SECTION: >ns4.google.com. 85092 IN A 216.239.38.10 >ns1.google.com. 85092 IN A 216.239.32.10 > >;; Query time: 54 msec >;; SERVER: 192.168.1.3#53(192.168.1.3) >;; WHEN: Wed Sep 22 14:26:29 2010 >;; MSG SIZE rcvd: 330 > > > >marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443 >... >subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com >issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA >... >--- >GET / HTTP/1.0 > >HTTP/1.0 200 OK >Date: Wed, 22 Sep 2010 19:31:43 GMT >Expires: -1 >Cache-Control: private, max-age=0 >Content-Type: text/html; charset=ISO-8859-1 >Set-Cookie: >PREF=ID=8614650b9dda6802:TM=1285183903:LM=1285183903:S=B88jR4IHVEMJ7oJ7; >expires=Fri, 21-Sep-2012 19:31:43 GMT; path=/; domain=.google.com >Set-Cookie: >NID=39=nR1SfxSCd9I9frwdHUXGHtOKWCI2yKMLaVWVnRZk50jDJv4InnuJPuhruGHy2j8hWeKdBfO18SCZzEm6N0qMW_flPF6tF6i-CvhRU1DrDDYvExygPnpew69GRLaWZeI0; >expires=Thu, 24-Mar-2011 19:31:43 GMT; path=/; domain=.google.com; HttpOnly >Server: gws >X-XSS-Protection: 1; mode=block > ><!doctype html><html><head><meta http-equiv="content-type" >content="text/html; >charset=ISO-8859-1"><title>Google</title><script>window.google={kEI:"n1maTNKCA5O8zAXDpJFW",kEXPI:"24956,26758",kCSI:{e:"24956,26758",ei:"n1maTNKCA5O8zAXDpJFW",expi:"24956,26758"},ml:function(){},kHL:"en",time:function(){return(new >Date).getTime()},log:function(b,d,c){var a=new >Image,e=google,g=e.lc,f=e.li;a.onerror=(a.onload=(a.onabort=function(){delete >g[f]}));g[f]=a;c=c||"/gen_204?atyp=i&ct="+b+"&cad="+d+"&zx="+google.time();a.src=c;e.li=f+1},lc:[],li:0,Toolbelt:{}}; >window.google.sn="webhp";window.google.timers={load:{t:{start:(new >Date).getTime()}}};try{}catch(u){}window.google.jsrt_kill=1; >var _gjwl=location;function _gjuc(){var >e=_gjwl.href.indexOf("#");if(e>=0){var >a=_gjwl.href.substring(e);if(a.indexOf("&q=")>0||a.indexOf("#q=")>=0){a=a.substring(1);if(a.indexOf("#")==-1){for(var >c=0;c<a.length;){var d=c;if(a.charAt(d)=="&")++d;var >b=a.indexOf("&",d);if(b==-1)b=a.length;var >f=a.substring(d,b);if(f.indexOf("fp=")==0){a=a.substring(0,c)+a.substring(b,a.length);b=c}else >if(f=="cad=h")return 0;c=b}_gjwl.href="/search?"+a+"&cad=h";return >1}}}return 0}function _gjp(){!(window._gjwl.hash&& >window._gjuc())&&setTimeout(_gjp,500)}; >window._gjp && _gjp()</script><style >id=gstyle>body{margin:0}#gog{padding:3px 8px >0}td{line-height:.8em}.gac_m >td{line-height:17px}form{margin-bottom:20px}body,td,a,p,.h{font-family:arial,sans-serif}.h{color:#36c;font-size:20px}.q{color:#00c}.ts >td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{width:496px}.tiah{width:458px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c >!important}#gog{background:#fff}#gbar,#guser{font-size:13px;padding-top:1px >!important}#gbar{float:left;height:22px}#guser{padding-bottom:7px >!important;text-align:right}.gbh,.gbd{border-top:1px solid >#c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbs,.gbm{background:#fff;left:0;position:absolute;text-align:left;visibility:hidden;z-index:1000}.gbm{border:1px >solid;border-color:#c9d7f1 #36c #36c >#a2bae7;z-index:1001}.gb1{margin-right:.5em}.gb1,.gb3{zoom:1}.gb2{display:block;padding:.2em >.5em}.gb2,.gb3{text-decoration:none;border-bottom:none}a.gb1,a.gb2,a.gb3,a.gb4{color:#00c >!important}a.gb2:hover{background:#36c;color:#fff >!important}#gbar{display: none}#gbe{display: >none}body{background:#fff;color:black}input{-moz-box-sizing:content-box}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl >a{color:#4272db}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead >a.gb2:hover{color:#fff!important}.ds{display:-moz-inline-box}.ds{border-bottom:solid >1px #e7e7e7;border-right:solid 1px >#e7e7e7;display:inline-block;margin:3px 0 >4px;margin-left:4px}.sblc{padding-top:5px}.sblc >a{display:block;margin:2px >0;margin-left:13px;font-size:11px;}.lsbb{background:#eee;border:solid >1px;border-color:#ccc #999 #999 >#ccc;height:30px;display:block}.lsb{background:url(/images/srpr/nav_logo14.png) >bottom;font:15px >arial,sans-serif;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}.ftl,#fll >a{margin:0 12px}#addlang a{padding:0 3px}.gac_v div{display:none}.gac_v >.gac_v2,.gac_bt{display:block!important}</style><script>google.y={};google.x=function(e,g){google.y[e.id]=[e,g];return >false};window.gbar={qs:function(){},tg:function(e){var >o={id:'gbar'};for(i in >e)o[i]=e[i];google.x(o,function(){gbar.tg(o)})}};</script></head><body >bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 >onload="document.f.q.focus();if(document.images)new >Image().src='/images/srpr/nav_logo14.png'" ><textarea id=csi >style=display:none></textarea><iframe name=wgjf >style=display:none></iframe><div id=ghead><div id=gog><div id=guser >width=100%><nobr><span id=gbn class=gbi></span><span id=gbf >class=gbf></span><span id=gbe><a >href="/url?sa=p&pref=ig&pval=3&q=http://www.google.com/ig%3Fhl%3Den%26source%3Diglk&usg=AFQjCNFA18XPfgb7dKnXfKz7x7g1GDH1tg" >class=gb4>iGoogle</a> | </span><a href="/preferences?hl=en" >class=gb4>Search settings</a> | <a >href="https://www.google.com/accounts/Login?hl=en&continue=https://www.google.com/" >class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div >class=gbh style=right:0></div></div></div> <center><br clear=all >id=lgpd><div id=lga><img src="images/logos/ssl_logo_lg.gif" width=276 >height=110 border=0><br></div><font size=-1>Go to <a >href="http://www.google.com/">classic Google</a>.</font><form >action="/search" name=f><table cell > >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls Regards, Jeffrey A. Williams Spokesman for INEGroup LLA. - (Over 300k members/stakeholders and growing, strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com Phone: 214-244-4827
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [certid] [secdir] secdir review of draf… ArkanoiD
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Jeffrey A. Williams
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Nasko Oskov
- Re: [TLS] [certid] [secdir] secdir Martin Rex
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir Dr Stephen Henson
- Re: [TLS] [certid] [secdir] secdir review of draf… Steingruebl, Andy
- Re: [TLS] [certid] [secdir] Martin Rex
- Re: [TLS] secdir review of draft-saintandre-tls-s… Barry Leiba
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Barry Leiba
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Richard L. Barnes
- Re: [TLS] [secdir] secdir review of Martin Rex
- Re: [TLS] [secdir] secdir review of Robert Relyea
- Re: [TLS] [secdir] secdir review of draft-saintan… =JeffH
- Re: [TLS] [secdir] secdir review of Nicolas Williams