Re: Google using Expired Cert and SSLv2

From: Ivaylo Kostadinov (ivaylo.kostadinov_at_computing-services.oxford.ac.uk)
Date: 04/01/04

  • Next message: OpenPKG: "[OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid)"
    Date: Thu, 01 Apr 2004 10:42:50 +0100
    To: bugtraq@securityfocus.com
    
    

    It seems you caught them just before they updated it.

    Now it is v3 and valid from yesterday:

    ---
    Certificate:
         Data:
             Version: 3 (0x2)
             Serial Number: 4063034 (0x3dff3a)
             Signature Algorithm: md5WithRSAEncryption
             Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting 
    cc, OU=Certification Services Division, CN=Thawte Server 
    CA/emailAddress=server-certs@thawte.com
             Validity
                 Not Before: Mar 31 20:09:01 2004 GMT
                 Not After : Mar 31 18:52:39 2005 GMT
             Subject: C=US, ST=California, L=Mountain View, O=Google Inc, 
    CN=www.google.com
             Subject Public Key Info:
                 Public Key Algorithm: rsaEncryption
                 RSA Public Key: (1024 bit)
                     Modulus (1024 bit):
                         00:ce:88:dc:7e:9a:fa:8b:5d:24:7d:f1:4a:ea:fb:
                         a8:4a:33:9d:9c:ef:22:c9:4d:2f:ac:a0:d3:86:05:
                         4f:d1:bb:cb:26:a6:f4:93:b4:43:aa:a9:28:b7:71:
                         cf:a4:47:f1:c3:20:41:2d:d4:8a:1c:20:bd:6f:8a:
                         f0:9d:a4:ea:70:65:5d:10:e3:ea:7d:d2:b9:87:f4:
                         1e:71:60:23:75:60:49:0d:4c:c0:0e:d9:91:d2:3f:
                         49:74:3f:6c:bf:a1:56:46:1f:99:e6:16:33:02:4e:
                         06:b6:54:81:58:de:7e:2e:69:1b:f4:76:85:40:46:
                         b3:fe:19:33:26:8c:fb:89:ad
                     Exponent: 65537 (0x10001)
             X509v3 extensions:
                 X509v3 Extended Key Usage:
                     TLS Web Server Authentication, TLS Web Client 
    Authentication, Netscape Server Gated Crypto
                 X509v3 CRL Distribution Points:
                     URI:http://crl.thawte.com/ThawteServerCA.crl
                 Authority Information Access:
                     OCSP - URI:http://ocsp.thawte.com
                 X509v3 Basic Constraints: critical
                     CA:FALSE
         Signature Algorithm: md5WithRSAEncryption
             34:eb:5f:20:b9:ec:d0:4f:8c:61:b8:37:9b:cc:3f:f4:6a:e8:
             39:c9:f9:43:22:13:63:91:6e:ab:52:21:2c:8a:26:33:a3:bc:
             02:dc:c3:85:21:04:8d:61:1f:f3:0e:13:cc:f4:92:a5:fa:cc:
             37:53:e5:a2:41:88:f1:40:ea:92:0d:3e:21:63:16:6d:a6:5a:
             bc:c2:db:4c:69:ad:c2:a6:6a:26:00:04:9d:5b:9a:12:6f:51:
             b0:b7:df:e6:5e:32:0b:bc:bb:26:02:b8:e9:85:d5:e6:f9:be:
             7c:5a:88:4e:2e:ff:a2:7d:7c:1f:c1:f8:c8:92:d4:34:21:2c:
             71:05
    -----BEGIN CERTIFICATE-----
    MIIDUDCCArmgAwIBAgIDPf86MA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa
    QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb
    BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0
    aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB
    MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wNDAz
    MzEyMDA5MDFaFw0wNTAzMzExODUyMzlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
    EwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpH
    b29nbGUgSW5jMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0B
    AQEFAAOBjQAwgYkCgYEAzojcfpr6i10kffFK6vuoSjOdnO8iyU0vrKDThgVP0bvL
    Jqb0k7RDqqkot3HPpEfxwyBBLdSKHCC9b4rwnaTqcGVdEOPqfdK5h/QecWAjdWBJ
    DUzADtmR0j9JdD9sv6FWRh+Z5hYzAk4GtlSBWN5+Lmkb9HaFQEaz/hkzJoz7ia0C
    AwEAAaOBqjCBpzAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG
    +EIEATA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhh
    d3RlU2VydmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0
    cDovL29jc3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA
    A4GBADTrXyC57NBPjGG4N5vMP/Rq6DnJ+UMiE2ORbqtSISyKJjOjvALcw4UhBI1h
    H/MOE8z0kqX6zDdT5aJBiPFA6pINPiFjFm2mWrzC20xprcKmaiYABJ1bmhJvUbC3
    3+ZeMgu8uyYCuOmF1eb5vnxaiE4u/6J9fB/B+MiS1DQhLHEF
    -----END CERTIFICATE-----
    ---
    ivaylo
    Matthew S. Hamrick wrote:
    > http://www.cryptonomicon.net/modules.php?name=News&file=article&sid=729
    > 
    > Don't know how apropos it is to bugtraq, but I suppose it's relevant to the web
    > application security community. It's fairly well known amongst people who use
    > SSL to secure portions of their web application that SSL version 2 is "bad."
    > It's so bad that a bunch of really smart people went out and created SSL version
    > 3. So I was pretty surprised today when I noticed that https://www.google.com/
    > is using an expired certificate and SSLv2.
    > 
    > Guess the moral of the story is: "even the big guys can get it wrong."
    > 
    > /etc
    > Matt H.
    > 
    -- 
    =============================
    Ivaylo Kostadinov
    GRID Systems Manager
    Oxford e-Science Centre
    Oxford University
    13 Banbury Road
    Oxford OX2 6NN
    Phone:  +44 1865 273289
    Fax:    +44 1865 273275
    =============================
    

  • Next message: OpenPKG: "[OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid)"

    Relevant Pages

    • Re: Firefox 3.6 for Windows includes a forged CA cert
      ... Signature Algorithm: md5WithRSAEncryption ... Subject Public Key Info: ... Secure Inc." and you'll see a cert labeled "MD5 Collisions Inc ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ ...
      (Bugtraq)
    • [Full-disclosure] Announce - Release RFIDIOt ver 0.1n (June 2007)
      ... extract image from CBEFF block in EF.DG2 ... The other major enhancement is extraction of public key certificates ... Here is example output of the extraction process on a UK passport: ... Signature Algorithm: sha256WithRSAEncryption ...
      (Full-Disclosure)
    • Announce - Release RFIDIOt ver 0.1n (June 2007)
      ... extract image from CBEFF block in EF.DG2 ... The other major enhancement is extraction of public key certificates from the Security Object. ... Here is example output of the extraction process on a UK passport: ... Signature Algorithm: sha256WithRSAEncryption ...
      (Bugtraq)