[SSL Observatory] Witnessed Google certificate change again (includes details like certs, CRL...)
Peter Eckersley
pde at eff.org
Wed Jan 19 16:41:52 PST 2011
On Wed, Jan 19, 2011 at 04:19:03PM -0800, Peter Eckersley wrote:
> I agree with Andy on this. Once a cert for google.com is signed by Google's
> internal CA, you aren't going to do any better. At that point, MITM/server
> impersonation attacks are no longer the weakest link in your security chain.
>
> Anyway, here's some real data...
Also of potential interest are the certs for google.com domains that the
Observatory doesn't think are valid in Firefox/IE. There are some attack
certs in here...
SELECT name, issuer
FROM anames NATURAL JOIN all_certs
WHERE name regexp "[^0-9a-z\-]google\.com"
AND fingerprint not in (SELECT fingerprint FROM valid_certs)
\G
*************************** 1. row ***************************
name: GIX-02198.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02198.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 2. row ***************************
name: foo.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=foo.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 3. row ***************************
name: GIX-03044.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03044.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 4. row ***************************
name: www.google.com
issuer: C=ZA, ST=Berkshire, L=Newbury, O=Thawte Consulting (Pty) Ltd., OU=SGC CA, CN=Thawte SGC CA
*************************** 5. row ***************************
name: www.google.com
issuer: CN=proliant.skdistribution.local, CN=localhost, CN=proliant, CN=companyweb, CN=www.google.com
*************************** 6. row ***************************
name: GIX-02828.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02828.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 7. row ***************************
name: GIX-02434.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02434.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 8. row ***************************
name: GIX-03958.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03958.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 9. row ***************************
name: GIX-04531.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04531.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 10. row ***************************
name: GIX-03859.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03859.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 11. row ***************************
name: ghs.l.google.com
issuer: CN=ghs.l.google.com
*************************** 12. row ***************************
name: GIX-04582.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04582.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 13. row ***************************
name: GIX-01790.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-01790.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 14. row ***************************
name: GIX-02003.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02003.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 15. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 16. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 17. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 18. row ***************************
name: GIX-04683.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04683.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 19. row ***************************
name: GIX-03666.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03666.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 20. row ***************************
name: GIX-01480.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-01480.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 21. row ***************************
name: GIX-02736.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02736.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 22. row ***************************
name: GIX-03789.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03789.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 23. row ***************************
name: www.google.com
issuer: CN=ocserver.OC.local, CN=localhost, CN=ocserver, CN=companyweb, CN=www.google.com
*************************** 24. row ***************************
name: GIX-01822.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-01822.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 25. row ***************************
name: GIX-03880.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03880.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 26. row ***************************
name: cod.ext.google.com
issuer: C=US, O=Google Inc, CN=Google Internet Authority
*************************** 27. row ***************************
name: eggroll.ext.google.com
issuer: C=US, O=Google Inc, CN=Google Internet Authority
*************************** 28. row ***************************
name: GIX-04262.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04262.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 29. row ***************************
name: mail.google.com
issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
*************************** 30. row ***************************
name: www.google.com\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A\xE1\x85\x9A.phreedom.org
issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=EssentialSSL CA
*************************** 31. row ***************************
name: GIX-04205.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04205.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 32. row ***************************
name: GIX-03444.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03444.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 33. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=ishikawas at asutoeito.co.jp
*************************** 34. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 35. row ***************************
name: GIX-04644.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04644.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 36. row ***************************
name: GIX-04608.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04608.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 37. row ***************************
name: GIX-04647.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04647.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 38. row ***************************
name: GIX-04618.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04618.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 39. row ***************************
name: GIX-02878.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02878.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 40. row ***************************
name: gsa11.hot.corp.google.com
issuer: C=ES, ST=Madrid, L=Madrid, O=Google, OU=Enterprise, CN=SalesEngineeringCA
*************************** 41. row ***************************
name: gsa27.hot.corp.google.com
issuer: C=ES, ST=Madrid, L=Madrid, O=Google, OU=Enterprise, CN=SalesEngineeringCA
*************************** 42. row ***************************
name: gsa33.hot.corp.google.com
issuer: CN=gsa33.hot.corp.google.com, OU=Enterprise, O=Google Inc, L=Mountain View, ST=CA, C=US/emailAddress=pthompson at google.com
*************************** 43. row ***************************
name: apps-secure-data-connector.google.com
issuer: C=US, O=Google Inc, CN=Google Internet Authority
*************************** 44. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 45. row ***************************
name: GIX-03429.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03429.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 46. row ***************************
name: GIX-03289.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03289.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 47. row ***************************
name: GIX-03097.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03097.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 48. row ***************************
name: *.google.com
issuer: C=US, ST=California, L=Seatle, O=Soft Layer Ltd., OU=10TB, CN=*.google.com/emailAddress=xdanger at gmail.com
*************************** 49. row ***************************
name: GIX-02888.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02888.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 50. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=daniel.persson at dropit.se
*************************** 51. row ***************************
name: GIX-04063.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04063.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 52. row ***************************
name: GIX-02288.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02288.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 53. row ***************************
name: GIX-01602.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-01602.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 54. row ***************************
name: C871W.google.com
issuer: CN=IOS-Self-Signed-Certificate-3349946448
*************************** 55. row ***************************
name: www.google.com
issuer: CN=uzundere-c134ff.smallbusiness.local, CN=localhost, CN=uzundere-c134ff, CN=companyweb, CN=www.google.com
*************************** 56. row ***************************
name: www.google.com
issuer: CN=mailserver.MCM.local, CN=localhost, CN=mailserver, CN=companyweb, CN=www.google.com
*************************** 57. row ***************************
name: GIX-03974.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-03974.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 58. row ***************************
name: docs.google.com
issuer: C=CA, ST=ON, O=Mitel Networks, OU=VoIP Platforms, CN=Mitel Networks ICP CA/emailAddress=Lee_Dilkie at Mitel.com
*************************** 59. row ***************************
name: GIX-04074.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04074.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 60. row ***************************
name: www.google.com
issuer: CN=SERVER.phoenixbusinessservices.local, CN=localhost, CN=SERVER, CN=companyweb, CN=www.google.com
*************************** 61. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 62. row ***************************
name: GIX-04238.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-04238.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 63. row ***************************
name: mail.google.com
issuer: C=CA, ST=ON, O=Mitel Networks, OU=VoIP Platforms, CN=Mitel Networks ICP CA/emailAddress=Lee_Dilkie at Mitel.com
*************************** 64. row ***************************
name: www.google.com
issuer: CN=SERVER01.do.local, CN=localhost, CN=SERVER01, CN=companyweb, CN=www.google.com
*************************** 65. row ***************************
name: GIX-02612.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02612.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 66. row ***************************
name: GIX-02436.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02436.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 67. row ***************************
name: GIX-02140.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02140.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 68. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 69. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 70. row ***************************
name: foo.ent.google.com
issuer: CN=foo.ent.google.com, O=Google, Inc., L=Mountain View, ST=California, C=US/emailAddress=enterprise-support at google.com
*************************** 71. row ***************************
name: GIX-02474.ent.google.com
issuer: C=US, ST=California, L=Mountain View, O=Google, Inc., CN=GIX-02474.ent.google.com/emailAddress=enterprise-support at google.com
*************************** 72. row ***************************
name: DELJI.google.com
issuer: CN=IOS-Self-Signed-Certificate-1959852086
*************************** 73. row ***************************
name: www.google.com.ar
issuer: CN=SERVER.Plastinort.local, CN=localhost, CN=SERVER, CN=companyweb, CN=www.google.com.ar
73 rows in set (0.00 sec)
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the Observatory
mailing list