Re: "http:" and "https:" -- must I register the same domain name twice to reserve my name for both?

From: David Makowsky (dlm@yin.interaccess.com)
Date: 05/05/02


From: dlm@yin.interaccess.com (David Makowsky)
Date: 5 May 2002 01:58:03 -0500

In article <3CD4D162.30201@alliancecable.net>,
Bill Velek <billvelek@alliancecable.net> wrote:

# My last name is 'Velek' and I own the domain name "velek.com", which
# I've had for family use since the late 1990's. It has never expired.
 
# There is apparently a difference between "http:" and "https:" because,
# although using the same _domain_name_, they contain two entirely
# different sites, with the latter NOT belonging to me. See
# http:www.velek.com and https:www.velek.com
 
The sites (actually the site) is one and the same. The "http" and
"https" are names of protocols used to interact with the site (They
both use web technology, but https uses encryption and other features
to provide more security).

# I discovered this when I _accidentally_ included the 's' in the URL at
# the end of 'http', and after a couple of pop-up windows which indicated
# "Server Certificate Expired" and "Security Error: Domain Name Mismatch"
# -- the text of which is quoted in detail below for those interested --
# I arrived at a web-site that is entirely different than mine, but still
# uses "velek.com". At least that's what is still listed in my browser's
# URL location bar.
 
My guess is (and this is only a guess) that you did not set up an
https server (Which makes use of server certificates and requires the
server name to be the same name as on the certificate or an error
message will be issued), so this is what should have happened. If you
did set up an https server then something is screwed up.

# Since the pop-up windows warn of a possible effort to intercept messages
# intended for my domain and suggest contacting the site administrator, I
# became concerned that maybe someone was hacking my site or something of
# that nature, so I telephoned the hosting service where my site is
# stored. When I explained what happened, I was surprised that I was
# questioned about what I was doing trying to reach a "secured" web-site
# -- as if maybe I had been doing something WRONG. I explained that I had
# come upon that by _accident_, and I was then told that I "shouldn't be
# going there", that it has nothing to do with my web-site, and to not pay
# any attention to it. If that's not true, then I'm certainly going to
# change to another hosting service, but I'd like to know what the
# difference is between "http:" and "https:". Also, if there is some
# reason why I might someday want to use "httpS:" for my _own_ purposes,
# how do I go about reserving the same domain name -- velek.com? Did I
# somehow miss something when I registered my domain?

This sounds like the person you spoke with is either ignorant about
https or was simply lazy. Either way, this person was not providing
you with accurate information. I would suggest you speak with someone
at the hosting service who understands these issues and is willing to
explain them to you. You might want to have an https server. You
also might wish to change hosting services.

# For those interested in more detailed info, this is what each pop-up
# window actually stated:
 
# "Server Certificate Expired" <-- in the Title Bar> ... and the window's
# text said:
# "gazeboguys.com is a site that uses a security certificate to encrypt
# data during transmission, but its certificate expired on 7/11/2001 5:03 pm."
# "You should check to make sure that your computer's time ... is correct."
# "Would you like to continue anyway?"
 
# I then clicked on the "View Certificate" button, and the following
# pop-up window appeared:
 
# "Certificate Viewer: "gazeboguys.com" <-- in the Title Bar> ... and the
# window's text had two tabs for pages with the following info:
 
# "General" <-- Tab>
# "Could not verify this certificate because it has expired."
# "Issued to
# Common Name (CN) gazeboguys.com
# Organization (O) The Gazebo Guys
# Organizational Unit (OU) Northwest
# Serial Number 01:24:20
# "Issued by
# Common Name (CN) Thawte Server CA
# Organization (O) Thawte Consulting cc
# Organizational Unit <not part of certificate>"
# "Validity
# Issued on 6/27/2000
# Expires on 7/11/2001
# "Fingerprints
# SHA1 Fingerprint
# SE:C0:08:ED:11:3D:51:8E:2E:74:E1:A0:71:81:37:A8:71:BE:06:82
# MD5 Fingerprint
# 7D:B7:15:25:51:9E:F5:2A:F3:EF:BF:62:B3:16:74:28
 
# "Details" <-- Tab>
# Certificate Hierarchy
# Thawte Server CA
# gazeboguys.com
 
# Certificate Fields
# gazeboguys.com
# Certificate
# Version
# Serial Number
# Certificate Signature Algorithm
# Issuer
# Validity
# Not before
# Not after
# Subject
# Subject Public Key Info
# Subject Public Key Algorithm
# Subject's Public Key
# Extensions
# Object Identifier (2 5 29 37 )
# Object Identifier (2 5 29 19 )
# Certificate Signature Algorithm
# Certificate Signature Value"
 
# After viewing the Certificate, I clicked "OK" and this was the next
# pop-up window:
 
# "Security Error: Domain Name Mismatch" <-- in the Title Bar> and the
# window said:
# "You have attempted to establish a connection with "www.velek.com".
# However, the security certificate presented belongs to
# "gazeboguys.com". It is possible, though unlikely, that someone may be
# trying to intercept your communication with this web site."
# "If you suspect the certificate shown does not belong to
# "www.velek.com", please cancel this connection and notify the site
# administrator."
 
# Then I clicked "OK" and a web-site appeared that is entirely different
# than mine, but still appears to use "velek.com".
 
# Any help will be appreciated.

If you have any further questions, please contact me via email as I do
not always have time to read this newsgroup.

-- 
	There are three types of people in the world.  Those that are good at
math and those that are not.

dlm@interaccess.com



Relevant Pages

  • Re: "http:" and "https:" -- must I register the same domain name twice to reserv
    ... but https uses encryption and other features ... # "Server Certificate Expired" and "Security Error: ... did set up an https server then something is screwed up. ... # Since the pop-up windows warn of a possible effort to intercept messages ...
    (comp.security.misc)
  • Re: "http:" and "https:" -- must I register the same domain name twice to reserv
    ... but https uses encryption and other features ... # "Server Certificate Expired" and "Security Error: ... did set up an https server then something is screwed up. ... # Since the pop-up windows warn of a possible effort to intercept messages ...
    (comp.security.firewalls)
  • IE https certificate attack
    ... A flaw in Microsoft Internet Explorer allows an attacker to perform ... server name with the name stored in the certificate. ... There is a flaw in the way IE checks HTTPS objects that are embedded into ... I don't know the source code of the Internet Explorer I cannot check the ...
    (Bugtraq)
  • Re: IE https certificate attack
    ... How non-interactive ssl clients in EAI and web services software handle ... Subject: IE https certificate attack ...
    (Vuln-Dev)
  • RE: Outlook HTTPS over RPC error - Inconsistent users
    ... If the clients are using Outlook with PRC over HTTP and issue ONLY occurs ... issue which means it might be a client Outlook configuration or workstation ... over HTTPS because there is a problem with the certificate assigned to the ... With RPC over HTTPS no such pop up ...
    (microsoft.public.windows.server.sbs)