LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fraudulent certificates in the wild — again

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 20:11 UTC (Thu) by cjr (subscriber, #88606)
In reply to: Fraudulent certificates in the wild — again by mjg59
Parent article: Fraudulent certificates in the wild — again

Ironically, the certificate for that site was issued to blog.mozilla.com (rather than blog.mozilla.org), so I got a certificate error when I went to read that article.

(Log in to post comments)

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 21:02 UTC (Thu) by josh (subscriber, #17465) [Link]

The certificate looks good here; it shows the hostname as blog.mozilla.org. What certificate did you get?

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 21:10 UTC (Thu) by cesarb (subscriber, #6266) [Link]

He probably is using an older browser without support for Server Name Indication.

$ host blog.mozilla.com
blog.mozilla.com is an alias for blog.mozilla.org.
blog.mozilla.org has address 63.245.217.99
blog.mozilla.org has IPv6 address 2620:101:8008:5::2:5

$ openssl s_client -showcerts -connect 63.245.217.99:443
[...]
Server certificate
subject=/serialNumber=PJYd6s/lzd2zfglc6EAG5C/hVZfSySVY/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=IT/CN=blog.mozilla.com
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
[...]

With the latest Firefox, I get the certificate for CN=blog.mozilla.org, instead of the one for CN=blog.mozilla.com. This probably means the server is using SNI to select the correct certificate, and since his older browser did not support it, the server did not know which certificate to use and sent the wrong one.

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 21:14 UTC (Thu) by cjr (subscriber, #88606) [Link]

Interesting, thanks for the information. Indeed, I am using IE8 on Windows XP, which does not appear to support Server Name Indication.

Fraudulent certificates in the wild — again

Posted Jan 4, 2013 13:53 UTC (Fri) by bbaetz (subscriber, #42501) [Link]

Windows XP doesn't support SNI, and IE uses the windows libraries for SSL (Chrome may too - not sure). Firefox uses its own (NSS) so isn't tied to the windows version. Which is the main reason why SNI use hasn't really taken off - its only in the last year that people have been able to really stop supporting ie6 (with Google being big enough to not supporting ie8, a few other sites are starting to match). Not supporting winXP on your website (which is what SNI effectively requires) is a lot further off - at best 2014 (when Microsoft stops supporting it)

Fraudulent certificates in the wild — again

Posted Jan 5, 2013 0:37 UTC (Sat) by Lennie (subscriber, #49641) [Link]

Chrome used to do that, in the first few versions. Until 4 or something like that, which is ages ago and no1 should be using that anymore.

All versions of IE and Safari on XP or 2000 do not support SNI.

But also almost 50% of all Android phones do not support SNI, because Android 2.x does not support SNI.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds