[LINK] https://www.google.com.au certificate is not validating - anyone know why?

Kim Holburn kim at holburn.net
Wed Nov 19 21:02:14 AEDT 2008

When you go to a non-secure website your browser takes the hostname  
from the URL and sends the request to a host at a specific IP  
address.  A host at an IP address may host many sites on different  
domains.  The server can assume to be any of those sites or redirect  
you to another of its sites without breaking the connection.

When you go to a secure website the encrypted stream is negotiated  
between the host and your browser and set up before any commands are  
sent in the clear.  To be secure it has to be done this way if you  
think about it, otherwise an eavesdropper or proxy or web filter;- 
( may get information about which website you are going to.  The  
certificate that the encryption is based on and that certifies, if you  
like, that the host is who you think it is, is based on the domain  
name in the URL.  Since this happens before any redirection of URL  
requests with domain names in it, the server doesn't know at that  
point which site/domain you have requested so it may answer for the  
wrong domain and assume or redirect you afterwards.

This happens for me with https://gmail.com for instance.  You have to  
accept the first browser complaint or use the correct domain name.   
The problem is that the domain name itself can communicate important  
information like a country code and therefore a language, so there are  
good reasons to use the correct domain and so then you have to deal  
with the error.

There is a new protocol which allows encryption of the stream after  
some initial discussion with the server but it is not deployed yet I  
think and it gives some information in the clear.

On 2008/Nov/19, at 9:26 AM, Lea de Groot wrote:

> On 19/11/2008, at 12:16 PM, Jon Seymour wrote:
>> I tried to go to https://www.google.com.au/ with Firefox 3.0.4 and  
>> IE6
>> from two different ISPs and received a certificate validation error.
> Well, given that, once you ok through the dialog, they redirect you to
> the non-secure version, I'd say its because they aren't using the
> secure site, so haven't bought a cert for it.
> Lea
> -- 
> Lea de Groot
> Brisbane, .au
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list