[CLUE-Tech] reverse DNS

[Adam Bultman]

Eric Jorgensen wrote:

>Evidently clue-tech does not allow attachments (had
>attached copies of the messages from the browsers).
>
>From both mozilla and IE going to your example,
>https://www.netsol.com/ I got the following error from
>Mozilla 1.7.2:
>
>You have attempted to establish a connection with
>"www.netsol.com".  However, the security certificate
>presented belongs to "www.networksolutions.com".  It
>is possible, though unlikely, that someone may be
>trying to intercept your communication with this web
>site...
>
>And from IE 6.x:
>
>Information you exchange with this site cannot be
>viewed or changed by others.  However, there is a
>problem with the site's security certificate:
>...
>The name on the security certificate is invalid or
>does not match the name of the site.
>...
>
>
>
>So the reverse DNS must match in order for SSL not
>to issue a warning.
>
>Eric
>
>
>  
>
$dig www.netsol.com

;; ANSWER SECTION:
www.netsol.com.        84740    IN    A    216.168.224.111

$dig -x 216.168.224.111
;; ANSWER SECTION:
111.224.168.216.in-addr.arpa. 10765 IN    PTR    www.netsol.com.


Ok. Now we see that we have correct RDNS for www.netsol.com

Now: Pull up https://www.netsol.com.
When it throws the error mentioning that the site is for 
www.networksolutions.com, hit 'view certificate'.
Ok. Now look at the 'Issued To' section, and look at the Common Name 
(CN).  You'll see the certificate has 'www.networksolutions.com' as the 
CN. 

ok, from here, let's note the Fingerprints:
Let's use MD5.
f6:96:13:dc:00:5b:ca:b7:5c:44:4a:4c:b4:b7:ef:68.

Ok.  Now, go to https://www.networksolutions.com
You won't get an error with this page.
Right click and 'View Page Info'.
Click 'Security'
Click 'View'
Look at 'Common Name'. Notice 'www.networksolutions.com'.
Now, lets eyeball that MD5 fingerprint:
f6:96:13:dc:00:5b:ca:b7:5c:44:4a:4c:b4:b7:ef:68

Looks familiar, doesn't it?

The SSL certificate being used for www.networksolutions.com is ALSO 
being used for www.netsol.com - notice how netsol.com just forwards you 
to networksolutions.com?   You can use any SSL certificate you want for 
a given domain, it just so happens that any browser worth it's salt is 
going to tell you that they don't match, and will complain.

Try this:

1.  ping 'gmail.google.com'
2,  Copy the IP address to your clipboard.
3. edit /etc/hosts, and create a line:
[ IP address of gmail.google.com ]  gmail2.google.com
4. In your browser, go to https://gmail2.google.com

You'll get the same error: "However, the security certificate presented 
belongs to". That's an important line.

So :  The CN in your SSL certificate has to match the name of the host 
you are trying to connect to via https, otherwise, you get an error.

You can have incorrect RDNS and not get that error.  You can have NO 
RDNS information and not get that error.  It just so happens that the 
sites you are connecting to have RDNS information, so you assume it is 
necessary. But you'll see above, with the www.netsol.com RDNS, the 
tests, that it's simply not the case.  The company I work for has SSL 
sites with no RDNS and no errors are given. The last company I worked 
for had SSL sites with no RDNS and had no errors. 



Adam