[CLUE-Tech] reverse DNS
Adam Bultman
adamb at glaven.org
Tue Sep 14 16:24:01 MDT 2004
Eric Jorgensen wrote:
>Evidently clue-tech does not allow attachments (had
>attached copies of the messages from the browsers).
>
>From both mozilla and IE going to your example,
>https://www.netsol.com/ I got the following error from
>Mozilla 1.7.2:
>
>You have attempted to establish a connection with
>"www.netsol.com". However, the security certificate
>presented belongs to "www.networksolutions.com". It
>is possible, though unlikely, that someone may be
>trying to intercept your communication with this web
>site...
>
>And from IE 6.x:
>
>Information you exchange with this site cannot be
>viewed or changed by others. However, there is a
>problem with the site's security certificate:
>...
>The name on the security certificate is invalid or
>does not match the name of the site.
>...
>
>
>
>So the reverse DNS must match in order for SSL not
>to issue a warning.
>
>Eric
>
>
>
>
$dig www.netsol.com
;; ANSWER SECTION:
www.netsol.com. 84740 IN A 216.168.224.111
$dig -x 216.168.224.111
;; ANSWER SECTION:
111.224.168.216.in-addr.arpa. 10765 IN PTR www.netsol.com.
Ok. Now we see that we have correct RDNS for www.netsol.com
Now: Pull up https://www.netsol.com.
When it throws the error mentioning that the site is for
www.networksolutions.com, hit 'view certificate'.
Ok. Now look at the 'Issued To' section, and look at the Common Name
(CN). You'll see the certificate has 'www.networksolutions.com' as the
CN.
ok, from here, let's note the Fingerprints:
Let's use MD5.
f6:96:13:dc:00:5b:ca:b7:5c:44:4a:4c:b4:b7:ef:68.
Ok. Now, go to https://www.networksolutions.com
You won't get an error with this page.
Right click and 'View Page Info'.
Click 'Security'
Click 'View'
Look at 'Common Name'. Notice 'www.networksolutions.com'.
Now, lets eyeball that MD5 fingerprint:
f6:96:13:dc:00:5b:ca:b7:5c:44:4a:4c:b4:b7:ef:68
Looks familiar, doesn't it?
The SSL certificate being used for www.networksolutions.com is ALSO
being used for www.netsol.com - notice how netsol.com just forwards you
to networksolutions.com? You can use any SSL certificate you want for
a given domain, it just so happens that any browser worth it's salt is
going to tell you that they don't match, and will complain.
Try this:
1. ping 'gmail.google.com'
2, Copy the IP address to your clipboard.
3. edit /etc/hosts, and create a line:
[ IP address of gmail.google.com ] gmail2.google.com
4. In your browser, go to https://gmail2.google.com
You'll get the same error: "However, the security certificate presented
belongs to". That's an important line.
So : The CN in your SSL certificate has to match the name of the host
you are trying to connect to via https, otherwise, you get an error.
You can have incorrect RDNS and not get that error. You can have NO
RDNS information and not get that error. It just so happens that the
sites you are connecting to have RDNS information, so you assume it is
necessary. But you'll see above, with the www.netsol.com RDNS, the
tests, that it's simply not the case. The company I work for has SSL
sites with no RDNS and no errors are given. The last company I worked
for had SSL sites with no RDNS and had no errors.
Adam
More information about the clue-tech
mailing list